by Dmitry Samartsev*
Supply chain cyberattacks are expected to quadruple in 2021 versus last year, according to the European Union Agency for Cybersecurity (ENISA).
These attacks are becoming particularly attractive to cybercriminals because of their scalability. An attack on US software firm Kaseya in July 2021 affected up to 1,500 businesses across the globe. In Sweden alone, almost 500 supermarkets were forced to close when their checkouts stopped working as a result of the attack.
This kind of “one-target, multiple-victims” scenario has turned supply-chain attacks into a lucrative business model for hackers, particularly when coupled with ransomware. The hackers who claimed responsibility for the Kaseya breach demanded $70 million to restore all of the affected businesses’ data.
Given the general increase in digital interconnectedness, this trend is rather dangerous. A company’s security no longer depends solely on its own resilience. A vulnerability in a third party’s products or systems may create an entry point into the entire supply chain for cybercriminals. This means you can no longer simply trust that your vendor is cybersecure — you need to verify it. But how?
The zero-trust approach
Rather than assuming that a company or product you are dealing with is secure, a zero-trust approach requires verification for all assets, user accounts or applications — the authentication for their access to your systems must be approved. Even users within your own technology infrastructure must confirm their data every time they request access to any resource inside or outside the network.
Experts at Cyber Polygon 2021, an international online conference and cybersecurity training event held last July, discussed how to increase supply chain resilience using this kind of zero-trust approach. The training was also devoted to repelling a simulated supply-chain attack. These expert discussions and exercises led to three key conclusions about why using zero trust to protect supply networks makes sense:
1. What if your vendor pays insufficient attention to cybersecurity?
The vendor you deal with might miss something in building its cybersecurity system or underestimate the importance of secure development of products and services. This may lead you to unknowingly install vulnerable software or, in the case of an unreliable cloud service provide, expose your organisation to data leaks.
To minimise these risks:
-Verify a vendor’s compliance with cybersecurity standards before applying for its services or signing a contract for software development. Remember to stipulate liability in the contract in the event of security incidents.
-When outsourcing software development, carry out regular quality assurance, particularly when updates are released.
-Engage independent experts to audit the security of the developed software and products.
-Introduce solutions for continuous security monitoring of the applications. In the case of a cloud service provider, you should also require additional control mechanisms such as monitoring of sessions and sources of entry, as well as auditing of sessions.
2. What if your vendor places too much trust in other third parties?
A supply chain is a multilayer structure so your vendor may be working with other third parties and relying on their resilience without verification. If even one of these entities has a low cybersecurity level, it could become the point of entry into the whole supply chain.
A zero-trust approach can help to reduce this risk by:
-Requiring secure and confirmed access to all the resources. Every time a user accesses an application or a cloud storage, reauthentication is required. In fact, each attempt to access the network is regarded as a threat until the opposite has been proved.
-Using the least-privilege model, which limits each user’s right of access to data to the minimum level necessary to perform their duties. This prevents a cybercriminal from reaching large datasets through one compromised account.
-Analysing the logs or history of events and their sources in your applications and recording anomalies in special software. This will help to reveal the threats in your network and identify the chain of events after an attack.
3. What if you are contacted by a criminal posing as your vendor?
One of your employees may receive an email that seems to be from your vendor, but is actually a phishing email from a criminal. Corporate accounts continue to be one of the most tempting targets for cybercriminals, and phishing has become the main method to deliver ransomware infections into companies.
We have found that 7 out of 10 sales representatives fall for cybercriminal tricks when we simulate phishing attacks on our clients for training purposes. So, even advanced software solutions may not be enough to secure the company if employees open the doors to intruders. Requiring employees to verify all incoming mail can substantially minimize this risk. Our research shows, a 9-fold reduction in employees rising to the bait after companies have been conducting phishing drills for two years.
The potential financial gains from supply chain attacks provide significant motivation for today’s cybercriminals. As a result, supply chain security is a crucial issue for the digital community to address.
The zero-trust method can considerably increase the resilience of each individual company in a supply chain, bringing more stability to these growing networks. By verifying vendors and every other element inside and outside the system, as well as providing regular training in this method to employees, it is possible to overcome this challenge.
*Chief Executive Officer, BI.ZONE
**first published in: www.weforum.org