Supply chains are critical for delivering products and services in today’s interconnected world, where disruption can cause a cascade of issues. However, as supply chains grow in complexity, they are also increasingly vulnerable.
The more links in the chain, the more points of vulnerability – and the more opportunities for cyber-attacks to occur.
Protecting your own business may no longer be enough if your connected suppliers and partners suffer from data breaches.
Gartner predicts that by 2025, 45 percent of organisations worldwide will have experienced attacks on their software supply chains – a three-fold increase from 2021.
With a spate of high profile cyberattacks in Australia and globally, Australian companies must consider cybersecurity in their supply chain risk management program.
A YouGov survey for the Uncovering Risks in the Supply Chain report found that third-party cyber risks are misunderstood, as many businesses think a global supply chain attack won’t impact them.
The report also found that a majority of Australian organisations are aware of the potential challenges they encounter, with 64 percent saying they see cyber security as the second greatest challenge they face.
However, only 16 percent of respondents reported that they expected those risks would impact their organisation over the next year and only 27 percent included cyber security within their supply chain management plans.
With Australia’s economy even more interdependent, and with supply chains more vulnerable than ever, it’s imperative that Australian businesses collaborate closely with customers and suppliers to alleviate the onslaught of potential cyber-attacks.
Below are some of the key risks and the strategies to mitigate them:
1. Software supply chain attacks
One of the most common cyber threats for supply chains is software-based attacks.
This is where attackers attempt to compromise the source code, software or firmware of a product.
An example is where they inject malicious code into the software at the vendor or provider level, which then gets downloaded and implemented by unsuspecting customers. This method bypasses many security measures because customers typically trust software obtained directly from vendors and providers.
The SolarWinds incident illustrates the severity of software supply chain attacks.
Malicious code was inserted into SolarWinds’ Orion software, which was used by thousands of businesses and government agencies worldwide to manage IT resources.
The malware was inadvertently delivered as a software update. This didn’t just affect Orion users, but also gave hackers potential access to the networks and data of their customers and partners.
Businesses must adopt a proactive approach to combat software supply chain attacks. This includes conducting rigorous vendor risk management, assessing suppliers’ security postures and establishing unique security requirements for each type of supplier.
Implementing a Zero Trust security model can also help organisations verify the trustworthiness of every incoming connection and device requesting access.
2. Phishing attacks against suppliers
Phishing attacks against suppliers are another prevalent method for cybercriminals to gain access to an organisation’s networks and systems indirectly.
When suppliers, especially those in IT outsourcing or call centres, fall victim to phishing attacks, cybercriminals can impersonate customers and request sensitive information or password resets.
The effectiveness of these attacks is amplified because suppliers may not have the same level of security awareness or anti-phishing solutions as large corporate enterprises.
As a result, they’re attractive targets for cybercriminals looking for a foothold into a larger organisation’s network.
To mitigate the risk of phishing attacks through suppliers, organisations should focus on comprehensive security awareness training for suppliers and enforce strict security requirements.
By extending security practices to include suppliers and monitoring their activities, organisations can detect suspicious behaviour early and respond effectively.
3. Hardware supply chain attacks
Hardware supply chain attacks involve attackers modifying the firmware of hardware devices, such as routers, IoT devices and smart appliances (even Smart TVs and washing machines), to include backdoors or vulnerabilities.
These compromised devices are then sold to end organisations which unknowingly implement them, creating a potential entry point for attackers.
Detecting hardware supply chain attacks is particularly challenging because they often go unnoticed by manufacturers and suppliers. Organisations must rely on rigorous quality control and verification processes to identify compromised hardware.
While hardware supply chain attacks are less common, they are difficult to detect and can have significant consequences.
Manufacturers and suppliers must implement thorough testing and verification processes, double and triple checking everything they ship, to ensure the integrity of their hardware products.
Future trends and challenges
Supply chain attacks are expected to increase in 2024 due to their demonstrated effectiveness and the growing interdependence of businesses.
As organisations expand their partnerships and ecosystems, they become more susceptible to supply chain attacks.
Attackers often target the weakest links in these supply chains, such as smaller suppliers with less robust security measures and awareness.
Organisations need to strengthen their security posture and address challenges in two critical areas:
1. API Security
With the proliferation of APIs in supply chains, organisations must invest in specialised API security tools to protect their systems from API-related vulnerabilities.
APIs are effectively gateways to data. Traditional security cannot keep up with the amount of APIs that are being rolled out. APIs need to be protected while they’re being developed and when they’re rolled out.
2. Artificial Intelligence (AI) in Security
Evaluating AI-powered security solutions is a growing trend.
How can we harness AI not just for operational efficiency but to make us more secure?
AI can enhance threat detection and response capabilities, and we’ll likely see this area grow exponentially in the coming year.
Businesses must adopt proactive robust security measures to protect their operations and invest in critical technology areas.
Organisations also need to ensure they develop alliances with trusted vendors, continuously monitor their supply chain for risks and vulnerabilities, conduct in-depth risk assessments and run regular software updates and patching.
Navigating supply chain cybersecurity can be very complex but working with the larger supply chain ecosystem and putting in place these measures can help mitigate and combat these threats and vulnerabilities.
By Reuben Koh, Director, Security Technology & Strategy APJ, Akamai
This article was first published by PASA