A company can invest as much time and money as it likes in its cybersecurity: If external partners do not pay enough attention to their IT security, they too can fall victim to a hacker attack. Hackers take advantage of external partners’ lack of attention to IT security to penetrate a target organization. Once they penetrate a company’s supply chain, hackers can compromise thousands of victims simultaneously.
Companies around the world have become increasingly vulnerable to the growing threat of supply chain attacks in recent years. In fact, a related study by Argon found that supply chain attacks increased by more than 300 percent in 2021 compared to 2020.
Perhaps the most prominent example of a targeted attack on a company’s supply chain, is an attack on SolarWinds in 2020. It is estimated that this attack alone affected 18,000 customers – including large government agencies.
SolarWinds example: Here’s how it can happen
SolarWinds, a provider of network management software, faced a momentous attack on its supply chain in late 2020. Some 18,000 of its customers had installed an infected version of its Orion products.
The company discovered that a compromise of its Microsoft Office 365 email and Office accounts had taken place. In addition, a publicly available GitHub repository of SolarWinds reportedly exposed the credentials of the “downloads.solarwinds.com” domain. This allowed the attackers to upload a malicious file disguised as an Orion software update to the company’s download portal.
What can I do to reduce the risk for a supply chain attack?
The risk for supply chain attacks is growing. But many companies still seem unsure how to respond. To assess your level of defense against supply chain attacks, ask yourself the following questions:
How well do I know my suppliers’ IT security?
What types of data do your suppliers process? What system interfaces do they use? How integrated are they with your business? You should know and be able to assess the authorizations and connection points of all your partners.
What are my suppliers doing to protect themselves?
Find out how your partners are protecting themselves from cyber attacks. To do this, create a list of clearly defined requirements and dare to ask your suppliers uncomfortable questions. You can expect any vendor to show you how they protect themselves and their customers from attacks. To do this, ask how access to systems is restricted and data is encrypted.
Can my vendors ensure my business continuity in the event of a successful attack?
A good defense is the best protection against supply chain attacks. But no system can ever be completely secure. So what happens when an attack occurs? When it comes to business continuity and disaster recovery (BCDR), set clear expectations for your partners. Build them into your contracts. If one of your vendors doesn’t have a formal BCDR strategy, create one together.
Does my organization live a sustainable security culture?
While the first questions focus on IT security at your suppliers and partners, it’s now on to your organization. What is being done at your company to contribute to a lived security awareness and IT security? What are you investing in building a corresponding mindset, toolset and skillset of your workforce? Do you and the users in your company feel capable of recognizing an attack and reacting appropriately?
A sustainable Security Awareness Training offers a good approach to all these questions. Therefore, test your security awareness now with the free demo of our trainings and protect your company sustainably against cyber attacks.