Why Supply Chain Attacks and Breaches Continue to Grow Briskly


Posted on by Robert Ackerman

As we spring into the start of a new year, there is good news and bad news on the cybersecurity front. The good news is that sizable organizations will continue to spend liberally on technology, abundantly aware that cyber risks continue to increase every day.

According to Gartner, global cybersecurity spending will reach $172 billion in 2022, up from $155 billion in 2021 and $137 billion in 2020.

The bad news is the foundation of the good news. That is to say, cyberattacks and breaches continue to evolve, constantly creating major organizational headaches. This includes sharply rising supply chain attacks at a time when global supply chains already have their hands full doing their basic work amid widespread shortages of a huge array of goods globally, courtesy of the pandemic.

Within the context of information security, a supply chain attack is not squarely an attack on a company’s conventional supply chain. Rather, the term describes attacks on an organization’s network that come by way of vendors and partners via connected computing devices. In other words, third-party players, such as a payment processor or a software vendor, are unwittingly setting the stage for a breach.

Supply chains bring customers the products they need at the right price, at the right time, and at the right place. Disruptions to the integrity of the supply chain—or even the privacy of the data it exchanges—can be extremely harmful.

Most IT supply chain attacks target smaller companies as an inroad to larger, more valuable targets because it’s tougher to break directly into larger organizations with more robust security protection. The prize, if successful, is the ticket to the backdoor of a huge enterprise network and perhaps an entire supply chain.

This is disheartening. It means that a company’s security no longer depends solely on its own resilience. In addition, there is often a cascading effect sparked by additional customers who also do business with the affected supplier.

Even though it has been followed by other high-profile software supply chain attacks, especially pernicious was the Russia-involved 2020 cyberattack on Austin, Texas-based SolarWinds—the largest supply chain attack in recent years.

Hackers preyed upon SolarWinds—a developer of software for businesses to help manage their networks, systems, and information technology infrastructure—to ultimately penetrate thousands of organizations worldwide, including multiple parts of the U.S. government.

There are ways to partially mitigate these and other episodes, but so far, supply chain issues keep growing. According to BlueVoyant, a New York-based cybersecurity company, more than 80 percent of organizations have experienced a data breach in recent years as a result of security vulnerabilities in their supply chains. This level of penetration may not be all that surprising given that BlueVoyant found in its research of sizable organizations that the average big company has an average of more than 1,000 vendors in its supplier ecosystem.

Another issue is a newer type of software supply chain attack—one that infiltrates open-source software—that increased a whopping 650 percent in 2021, according to Sonatype, a software analysis company that evaluates the security of corporate codebases. Historically, open-source software has contained many security vulnerabilities. Fortunately, the situation has eased as software developers work harder to update and better protect their open-source software components.

Nonetheless, things keep constantly changing, which is why attempts to combat software supply chain attacks remain a work in progress. Cybercriminals, who used to prey on existing vulnerabilities within heavily used open source components, are becoming more proactive. In particular, they’re infiltrating open source projects to seed them with compromised components they can pounce on once they are downloaded and used.

What Can Organizations Do to Help Stem Supply Chain Attacks?

Among other things, they can address security vulnerabilities, which, of course, will vary from one industry or company to another.

For instance, in the healthcare industry, one of the biggest victims of supply chain attacks, many hospital supply networks rely on a mix of automated and manual supply chain workflows to deliver COVID-19 vaccines to distribution points. Hospitals should minimize manual processes. Bad actors know the more manual the tracking and tracing of vaccine shipments, the greater the opportunity to redirect shipments, breach systems, and exfiltrate data. In addition, manual processes are prone to errors, incentivizing yet more hackers to look for a vaccine supply chain to breach.

Other helpful mitigation steps include limiting the number of suppliers used. It’s easier to manage a smaller number of outside parties. Companies should also develop a minimum cyber standard for suppliers. In doing so, they should use a recognized third-party standard so that everyone is working to the same standard set of rules.

In addition, users’ rights of access to data should be limited to the minimum level necessary to perform their duties, thereby preventing a cybercriminal from reaching large datasets through one compromised account.

Last, proper use of various technologies should also be widely checked. It turns out, for example, that many companies use multiple tools to manage the likes of PCs and laptops. The greater the sprawl, however, the faster security controls collide and decay. Heightened complexity isn’t good for security.


Contributors
Robert Ackerman

Participant

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Protecting Data & the Supply Chain Ecosystem

cyberattacks data security intrusion prevention/detection supply chain

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs