Skip to content

How to Protect Your Company Against Supply Chain Attacks

hacker-gcfc41fd16_1280

With the tidal wave of supply chain attacks in the last few years (think SolarWinds and NotPetya), companies need to be more wary than ever about who they trust to make their software. The stakes are high.

If you’re like most organizations, you can’t produce all of your software in-house. That means you’ll have to rely on third-party vendors on some level, which inevitably makes your company vulnerable not only to these vendors but to the vendors’ vendors as well.

It may be time to set some parameters to protect your company against a supply chain attack–before it’s too late.

What is a supply chain attack?

A supply chain attack is a cyberattack that specifically targets the software or hardware of a single supplier in order to compromise all of the companies that work with that supplier. One supply chain attack can have thousands of victims.

For example, say your company hires a software supplier. If hackers gain access to that software, they can replace some of its files with malware. This malware will then be automatically installed alongside legitimate software. Voila, the modern-day Trojan horse.

If you remember the Sandra Bullock classic The Net, the security software being installed had a security vulnerability that gave the hackers access to tons of secret networks. 

Hardware supply chain attacks can be even more difficult to detect. This is because the infected equipment likely shows no signs of malicious code. Plus, most companies would never guess that brand-new hardware could be compromised.

Even open-source software like log4j is vulnerable to supply chain attacks. Companies should be careful to take precautions whenever they work with a new supplier to obtain software or hardware.

At-risk organizations

It may seem like only large companies and government agencies are at risk of supply chain attacks. Russian and Chinese hackers aren’t coming for your small start-up, or are they?

I hate to break it to you, but no one is safe. While your company may not be the primary target of a supply chain attack, you could still suffer collateral damage. That’s because hackers can reach multiple companies through a single supplier.

No matter the size of your company, you need to be aware of the dangers of supply chain attacks. Think carefully about which suppliers you can trust. Even the outside providers you’ve been using for years could experience a cyberattack.

3 ways to protect your company against a supply chain attack

Supply chain attacks are notoriously tricky to protect against. Here are some safety practices to start implementing so you don’t fall victim to this looming threat.

1. Vet all third-party vendors

Trust can be hard to come by in the digital age. After all, there’s not a reliable system in place nationally or internationally to identify whether a vendor is 100% trustworthy. 

Still, there are steps you can take to ensure your suppliers are as secure as possible. Develop a set of assessment criteria that holds all suppliers to a certain standard. Each supplier should be able to give an overview of its security policies as well as the safety of each component of the software or hardware.

Keep an eye on the work of the Consortium for Information and Software Quality, an organization looking to develop standards for software trustworthiness. Your company may be able to use these standards as a resource for figuring out which suppliers to choose from in the future.

2. Watch out for software updates

Software updates are meant to patch your software and make it better, right? Not always. Some supply chain attacks are actually tied to software updates so that the malware can be installed automatically.

This is one of the more difficult hacks to spot because software updates are notoriously tough to scan for malware. If Microsoft missed the malware in the SolarWinds update, you probably would too.

Should you stop downloading software updates? Definitely not. Unpatched software tends to be vulnerable to zero-day attacks. This makes it way more vulnerable than updated software. The best way to prevent a supply chain attack via software update is to make sure your providers have sufficient code verification mechanisms in place.

3. Limit web access permissions

Follow the principle of least privilege. Essentially, this means giving your software the minimum level of access to the Internet required for it to function.

Start by taking inventory of your software. Any software that needs to connect to the Internet should be limited to the update sites you’ve specified. This will prevent the software from getting hacked and also help protect your high-value assets.

You can extend the principle of least privilege beyond software management and use it to upgrade overall online security within your company. Rotate passwords, store account information in a digital vault, and only allow users to temporarily access privileged accounts.

While it may seem like supply chain attacks only affect giant corporations and government agencies, the truth is companies of all sizes can become victims of this type of cyberattack. Protect your organization by working together with suppliers to develop safety standards that will keep everyone safe.

Related Articles

All
  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking
  • Online Privacy
  • Online Safety

What Happens If Your Investment Account Gets Hacked

You spend most of your adult life saving for retirement, assuming that the money you put away…

[Read More]

How DNSBLs Work: Avoid Getting Blacklisted

When you open your email client, type a message, and hit “send” it seems so easy. You…

[Read More]
Stuart Madnick has been in cybersecurity since 1974 and knows a lot about the costs of cyberattacks.

The Cost of Cyberattacks: Minimizing Risk, Minimizing Damage

Most of us view the internet as a useful and benign tool. But in many ways, it’s…

[Read More]

How to Keep Your YouTube from getting Demonetized

You finally did it–you hit all of the markers for acceptance in the YouTube Partner program, and…

[Read More]

How to Stay Out of Facebook Jail

Many of us have been there before–behind the proverbial bars of social media punishment. We’re left shocked…

[Read More]
Lisa Plaggemier's job is to promote cyber security awareness.

Cyber Security Awareness for Everyone

You can do anything on the internet – shop, bank, meet your future spouse, become famous, and…

[Read More]