Gartner predicts that by 2025, 45 percent of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021. But the supply chain threat doesn’t end with their software suppliers. A series of high profile and damaging attacks on companies has demonstrated that criminals can find vulnerabilities among any supplier of products or services – both physical and virtual. Indeed, the size and complexity of the typical modern supply chain is what makes tackling vulnerabilities such a daunting task.
“Supply chain is one of these terms which means very different things to many organisations,” explained Tristan Morgan, managing director cyber security, BT Group. “The one thing we do know is that pretty much every organisation is becoming increasingly connected, increasingly digitised, and therefore the traditional definitions of supply chain only being the ones that you rely upon to potentially provide goods and services, massively increases to a supply chain that is critical for all businesses to operate.”
Morgan was speaking at the recent Think Cybersecurity for Government event, where he joined an expert panel (pictured) to discuss what public sector cybersecurity providers should be doing to ensure the security of their own operations.
Dr Ric Derbyshire, senior security researcher at Orange Cyberdefense pointed to the recent supply chain attack targeting enterprise phone provider 3CX – which was compromised by a malware-laced version of the X_Trader financial software.
“The 3CX supply chain attack actually has turned out to be two supply chains deep,” he said. “So, it just goes to show that it’s not just your supply chain, it’s your supply chain’s supply chain as well. It goes down to the question of how deep do you start looking? And are the employees of the organisations in your supply chain also conforming to the policies and processes that are supposed to be in place?”
Onboarding delays cause problems
The lack of transparency into the supply chain is exacerbated when it can take up to eight weeks to onboard a supplier, as is often the case in government. It is therefore important that an organisation’s business objectives have to align to your processes, said Morgan.
“Otherwise, you will find people will find a way around them. If your business needs to bring suppliers on board really quickly, but the processes mandate that it takes eight or more weeks, people are going to find ways around it. I’ve spoken to companies where people haven’t disabled employees when they’d left because that’s the bit that takes a time when you bring them back
“I know it’s uncomfortable for many businesses. But you’ve got to look long and hard and say, why does it take eight or 12 weeks to bring somebody or a company on board? Are there things you can do to expediate that, or do you have more strategic partnerships with fewer members of your supply chain, to ensure that you can continue to operate within and maintain oversight and governance of their activities?”
If you liked this content…
Takeaway from SolarWinds attack
Dr Budgie Dhanda MBE, managing consultant at PA Consulting noted in the wake of the 2020 SolarWinds attack, there is still work to be done by organisations on business impact analysis and understanding what software it has, and the criticality to the business if there were a breach.
“It’s complex. No business runs on a very small number of systems or services. Every business I know has hugely complex processes and supply chains. Every time you introduce something new you need to really understand what it is, and the potential impact on your business. It’s basic stuff that we’ve known for a long time. It’s just difficult to do and time consuming to do so. People don’t do it very well.”
Morgan added that the learning point for organisations from the SolarWinds attack is that threat actors and criminals are probably already inside their network. “The key thing here is about making sure you’ve got the right visibility. You’re limiting the ability for them to move around. So, you can detect and take action quickly. And that’s where it comes back to the term zero trust – don’t trust any function or person any more than you need to for that specific period of allotted time,” he said.
Another response to the problems associated with complexity of the average software estate is having a Software Bill of Materials. Said Derbyshire: “A software bill of materials will just be a list of third party components, and it also contains some metadata open source licenses, versions, and what level of patching the third party component is up to. And this basically reduces the overhead if any of these libraries in the future are found to be vulnerable. You can essentially more quickly find out whether you have to panic or not, or whether you have to patch or take things offline for example.”
Business resilience, rather than cyber resilience
Another key theme of the discussion was building cyber resiliency. Said Morgan: “I really encourage everybody to sit and think about their businesses, not today, not so much in the near term, but actually where’s their business going to be in the next two or three years. Work back from that to ensure that resiliency is a key consideration alongside the bigger transformation programmes that everybody’s looking at, with a key view on ‘how is your supply chain going to support you in doing it and what is the right level of diligence and support you need to offer to those critical suppliers to ensure that they support your aims?’”
Dhanda said one of the best ways to engage with board members on supply chain threats is to talk about business resilience, rather than cyber resilience.
“If you just look at what we’ve just gone through over the last few years with the pandemic, people are becoming much more aware of resilience in supply chains, full stop – whether it’s cyber resilience or anything else that causes problems in the supply chain,” he said.
He advocated for scenario-based exercising as the best way of to get senior management to understand the business impact of a supply chain attack. “When they understand the business impact, that’s when they start taking things seriously. They understand what their role in that is. They understand exactly where their investments going. Cyber is one of those things where it’s hard to see return on investment quite often. It’s language; focusing on cyber risk and cyber resilience and cyber supply chain sometimes does a bit of a disservice, because ultimately impact is not about cyber. It’s about business impact.”
