Ransomware attacks: is your supply chain software safe?

A full-scale hack against your supply chain software could easily spread the contagion far and wide. Businesses need to get serious about preparing for the worst
Gettyimages 1302623817

In a world where cybercriminals run amok, it’s no longer a case of if your business will be hit with an attack, but when. And supply chain teams are particularly vulnerable. Gartner predicts that by 2025, 45% of organisations worldwide will have experienced an attack against their supply chain software – a threefold jump from 2021.

More than ever, the inevitability of such an attack means that businesses should be looking to head off this kind of costly disruption before it occurs. The alternative is horrific. For instance, more than 18,000 businesses and organisations found themselves compromised by the 2020 SolarWinds hack, which struck an IT management and monitoring tool used by many firms worldwide.

The SolarWinds attack is just one example of a software-based supply chain incident where the hacking of software used by many organisations can have a ripple effect far beyond the initial incident, with the effects cascading through supply chains. The 2014 attacks by the Dragonfly group of cyber attackers took several energy companies offline, although it’s believed that the initial target was actually the pharmaceutical industry’s supply chain. 

How to beat the ransomware risk

Recent research by AAG estimates that there were around 1.3 million ransomware attacks a day worldwide in the first half of 2022. “Ransomware is a booming industry that no one is rooting for,” says Joey Stanford, vice-president of privacy and security at Platform.sh. 

With such cyber attacks proving more prevalent, how do you head off the risk to your supply chain? What can be done to safeguard the software your teams use day in, day out?

Well, prevention is far better than cure, and teaching supply chain teams how to identify potential cybersecurity risks and avoid falling victim to them is a key part of the process. After all, if hackers can’t access valuable information, they can’t wreak havoc with it. 

One important first step is to highlight the risks that people need to be aware of and how to best respond. For this, regular training in cybersecurity is likely to be top of your list. 

It all depends on what access suppliers have to your systems

Beyond that, there are plenty of other things to do. Spring-clean your supply chain management platforms to ensure that everything you need is there – but things that you don’t need, are not. The good news is that there is a fairly simple process to identify risks within a tech stack. 

“Inventory it,” advises Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group. “If development teams and operations teams had a comprehensive inventory of all software in the business – regardless of whether it’s custom code, contracted code, commercial code, a cloud service, or open source downloaded from the internet – then you can start having more robust security discussions.” 

That’s important because the elements of supply chain software that you integrated into your system long ago and then forgot about are bound to be some of the more vulnerable points of your infrastructure.

You can only fix what you see

Anna Chung is principal researcher at Unit 42, the Palo Alto Networks threat intelligence consultancy which advises Europol. She agrees that visibility over every bit of software in supply chain systems is crucial.

“Improving cybersecurity is the prime solution. But even that is undermined unless you put in some hard work to understand where and how software is used in your organisation,” she says. “Without that, you can’t embed security into how you use the software.”

Chung adds that it’s important to know who developed the software you use, as well as how its in-built security measures have been formulated. That traceability is important if something goes wrong, so you can quickly bring the supply chain back online while identifying and quarantining the affected area. 

In general, single points of failure can be particularly problematic for something as crucial as supply chain software. For that reason, it’s often useful to rely on multiple vendors and providers to build in redundancy to your supply chain system – although it’s worth making sure you’re properly documenting who those are and why they’re vital, to avoid the risk of ghosts in the machine. 

Why trust is vital throughout the supply chain

Spreading your risk this way is one option to reduce the chance of a single breach ballooning into a terminal problem for your supply chain. But committing to developing trusting relationships with suppliers can also be useful.

Suppliers’ or partners’ negligence can pose a huge risk to your company

“It all depends on what access suppliers have to your systems, what data you share with them, and what are they installing on your network,” says Michael Smith, field chief technology officer of Neustar Security Services. “Threat actors are looking to access core data inside your systems and networks, ultimately to find a loophole which grants them access to other suppliers’ and partners’ networks and systems. That’s when it can become catastrophic.”

As a result, procurement teams can’t afford to be shy about demanding a high level of security from their suppliers and keeping them honest. “Suppliers’ or partners’ negligence can pose a huge risk to your company, especially if they’re not vetted appropriately,” says Smith. “Businesses must be able to trust that what they are provided with will not create new vulnerabilities in their environment.” 

That might include inserting into your contracts the minimum level of providers’ security standards that you’re comfortable with, and regular reporting on how well they’re meeting those requirements. 

For something as important as the supply chain, there’s no margin of error for getting security wrong. Not maintaining safeguards around your supply chain software – for even a moment – can be catastrophic not just to your business, but to those end users and clients who rely on you to deliver items on time. 

It’s better to be safe than sorry – and to overcompensate for the risk of something going wrong – than to be caught on the hoof when the worst happens.