Supply chain security became a headline-dominating cybersecurity topic when the SolarWinds attack occurred in 2020. It was on the radar of cyber professionals before, but this made it more mainstream, with hundreds of organizations impacted. So, what’s changed since then? What new trends are emerging? How can your cyber team get a leg up on hackers?
What Is Supply Chain Security?
Let’s start with the basics! Supply chain security refers to the steps to protect the software supply chain against vulnerabilities. It’s part risk management and part cybersecurity. The supply chain can be very long, depending on the many partners or providers with access to your data and systems. Businesses in almost every industry have a supply chain. It can get very complicated, especially for large enterprises. For those that are in the health care or financial fields, it’s even trickier since there are layers of compliance.
No matter how complex or simple your ecosystem is, supply chain security should be a priority. However, some of this is outside your control, as you can’t make every vendor conform to your protocols. This potential clash is also an opportunity for communication and cooperation, but as you know, that’s not always easy with technical folks.
In fact, the absence of transparent and honest communication heightens the risk of a supply chain attack. It’s something you need to develop in your team and bring those expectations to your partners, which I’ll get into a bit later.
Next, let’s look at the current state of supply chain security and attacks.
What’s Happening in the Supply Chain Security World?
Has the cyber field taken a new look at supply chains in the wake of SolarWinds? The NIST (National Institute of Standards and Technology) published a guide on defending against them in 2021. In it, the organization defines the most common attacks: hijacking updates, undermining code signing, and compromising open-source code.
The areas of weakness regarding supply chain attacks include the fact that most third-party software requires privileged access and frequently communicates with the vendor’s network. Regarding how to strengthen security, NIST recommends:
- Integrating C-SCRM (Cyber Supply Chain Risk Management) across the enterprise and establishing a program for it
- Ensuring full visibility of a company’s supply chain
- Collaborating with stakeholders, internal and external
- Involving the key players in cyber resilience initiatives
- Monitoring supplier relationships continuously
- Applying the same policies for internal operations to suppliers
In addition to the NIST best practices, there have been other changes around how the cyber community addresses supply chain security.
Federal Government Mandates
In 2021, the federal government issued an Executive Order on Improving the Nation’s Cybersecurity. The objective was to help organizations be better prepared to identify, deter, detect, and respond to cyberattacks. Of note are the private sector’s directives to improve software transparency and supply chain security. Bolstering these things should put companies in a better position to prevent a supply chain attack.
Organizations Want Transparency
Supply chains are under a microscope for many organizations, and there’s a reason they should be. One of the most significant pivots for companies is the demand for software transparency. Adopting platforms shouldn’t force you to do detective work.
A lot of software on the market still has bugs, shortcomings, and weaknesses. Suppliers could intentionally hide these or have yet to learn due to inconsistent testing. With this in mind, your team will need to analyze the application and create questions to ask that can help tell the complete story.
Transparency also applies to your users. They should feel that they can provide feedback on third-party software. Ideally, you’ll hear from them about user experience pros and cons in addition to gaps or weaknesses. If there is a continuous flow of this information, your cyber team can take mitigating steps before the vendor does.
Island Hopping on the Rise
A favorite technique of supply chain hackers is “island hopping.” This tactic allows hackers to infiltrate a third party’s network via their corporate environment through application or API (application programming interface) attacks. The third party becomes an access point to then invade your network.
Cybercriminals use the remote desktop protocol to pose as system administrators with success. Many experts believe these attacks will become more common in 2023. Having a keen awareness of this and ensuring your partners do as well is critical for your cyber plans for the foreseeable future.
These trends offer insight into what to expect, but how do you prevent supply chain attacks?
Preventing a Supply Chain Attack: What Should Your Organization Have in Place?
The recommendations from NIST and other guidance, along with the trends discussed, offer insight into prevention. Being proactive will always serve you well but may conflict with your staff’s mindset. Cybersecurity can be a very reactive field, but it’s hard to sustain a strong security posture if you’re always in this mode. As a result, some shifts need to happen in your cybersecurity culture. Technical adjustments are necessary as well. You’ll be in better shape when you have both.
Here are some prevention tips and how to implement them:
Prioritize Third-Party Risk Management
Do you have a program for third-party risk management? If not, it’s time to create one. If you do, it needs a refresh. Every third party that comes into your cyber circle should undergo a risk analysis. Cybersecurity professionals should be part of the discussion from the beginning. The departments that want the new software may see this as restrictive. It’s important to communicate why this is necessary and not in a condescending way. Healthy interactions between the cyber and business side are critical.
Getting to this point will require some work for your team. Helping them develop better communication skills and removing technical jargon can break down barriers between the groups.
So, how do you introduce soft skill development here? Improving communication skills is a key aspect of the Secure Methodology™. It’s a seven-step guide that transforms technical folks into open-minded, flexible communicators and collaborators. It includes exercises, analysis, tips, and more to create a space where technical minds can evolve.
Conduct Ongoing Self-Assessments
A prepared cyber team can continuously self-assess. To do this, your team needs the ability to be aware and reflective. Again, this is something technical people aren’t doing much of the time. Evaluating the operations and controls within your cyber operations is part of this, but there’s also the need to look at processes and people.
When performing a self-assessment, the exercise should consist of looking at everything within your supply chain ecosystem. Additionally, it’s a time for your people to consider their actions and activities. Have they been communicative? Cooperative? Collaborative?
Asking these hard questions will lead to more transparency. You should do these assessments more often than annually. Quarterly is a goal for which to strive. Once you have a baseline, you can measure progress. When improvements occur, you should acknowledge your team for making changes and growing.
Manage the Remote Work Risk
Remote work is here to stay. Offices are now open throughout the country, but workers want the flexibility of working from home. If not remote all the time, many are still hybrids. The bottom line is that remote work is a risk, as you have more endpoints. You also don’t have control over everyone’s home network, and a VPN doesn’t mitigate the vulnerability completely.
What you can do is develop cyber initiatives for those outside the office, including multifactor authentication ways to use applications and data that are secure. It’s another area where communication matters. Your cyber team needs to deliver these messages in a way that gets employees to practice good security measures. It should be authentic and inclusive. In such an exchange, employees become aware of the risk and their role in combatting it. It also supports your cyber team’s transformation to be good communicators.
Secure Privileged Access Management
As noted above, privileged access is necessary for many third-party software relationships. It’s unavoidable, so you’ll need to be ready. The best way is to disrupt the privileged pathway a hacker would take so they hit barrier after barrier. You’ll need a PAM (privileged access management) framework. There’s the technical aspect of developing this. Soft skills in managing this and communicating it to those outside of cybersecurity are just as essential. PAM needs ultimate defenses, and you won’t achieve this without cooperation among your team and their ability to adapt to new threats. Your cyber team must be dynamic in how they strategize, improvise, and adjust.
Improve Supply Chain Security by Developing Your People
You may have no doubts about your personnel’s technical skills, although these require continuous learning. Soft skills, especially communication, and collaboration, play a crucial role in mitigating supply chain risk. Developing both types of skills is imperative. If you’re seeking guidance relating to soft skill development, you’ll want to read my book, The Smartest Person in the Room, which features the Secure Methodology™ and prepares you to be a resilient and effective cyber leader.