If you were a hacker, how would you set about wreaking the most havoc possible?
Mass phishing? Targeting critical infrastructure? Perhaps. Or maybe you’d choose attacking a software supply chain: if thousands of companies have bought software from a single vendor, then a hit on that vendor attacks all its customers simultaneously.
This is, of course, the story of the SolarWinds hack of 2020. Attackers deployed malicious code into the company’s Orion IT monitoring and management software, to attack thousands of its customer enterprises and government agencies worldwide. It made for arguably the biggest cyberattack in history.
Its success may be down to trust: too many businesses trust their vendors have security covered, so don’t protect against potential attack. Indeed, the UK government’s Cyber Security Breaches Survey 2022 found that just over one in ten UK businesses review the risks posed by their immediate suppliers (13%), and the proportion for the wider supply chain is just 7%.
It would make sense if companies weren’t being attacked. But new BlackBerry research has found that 4 in 5 IT decision makers have been notified of an attack or vulnerability in their supply chain in the last 12 months.
It proves we can’t afford to be so relaxed. Cybersecurity must go far beyond vendor trust. Here’s how:
Why supply chain attacks are so fatal
Software supply chain attacks are among the most destructive strategies used by cybercriminals today.
Six in ten (59%) of companies that have suffered a supply chain attack reported significant operational disruption, according to the research by BlackBerry. 58% reported data loss, and 52% reputational impact. Nine out of ten organizations (90%) took up to a month to recover. Time is money – so being hit by a software supply chain attack is a highly costly experience however you look at it.
Why do these attacks cause so much destruction? It’s because much of the software created and sold today is based on open source code, which can easily be compromised due to its public availability. Vendors should, of course, check it – and research shows that IT teams believe they do: many are confident that their supply chain partners have policies in place of at least comparable strength to their own.
But amid a chronic cybersecurity skills gap in the UK and abroad, can a buyer guarantee this due diligence has been done? And can they spend the time and resource checking each piece of code they purchase? Perhaps not. It’s no wonder software supply chain attacks are so successful.
Securing a software supply chain against attacks takes knowing what elements in your system have the potential to be attacked. Without monitoring for adherence to critical security standards, malicious lines of code can sit in blind spots for years, ready to be exploited when the attacker chooses.
The National Cyber Security Centre (NCSC) recently encouraged organisations to work with suppliers to boost resilience to attacks. It’s a great initiative, but even these conversations are merely the preface to an active cybersecurity stance that helps businesses protect themselves, separate to their partners, vendors and suppliers. No company is an island – but it’s certainly a useful attitude to have to prevent software supply chain attacks.
Keiron Holyome is Vice President for UKI, Middle East & Africa at BlackBerry.
What can be done to prevent software supply chain attacks?
Awareness is the start, but action is the key to stopping software supply chain attacks, and preventing the knock-on reputational, cost, and time damages your staff and customers will feel.
Businesses need a complete, granular view of all potential network and endpoint vulnerabilities in order to predict, prevent, discover, and respond to attacks - whether direct attacks upon a business, or those coming through the software supply chain. An Extended Detection and Response (XDR) tool is a wise option to enable this. By collecting and analyzing data from multiple sources, XDR gives the visibility and proactive action to prevent attacks that organizations need - 24/7, 365 days a year. Change needs to take place: in the current, heightened threat landscape, a prevention-first approach to all attacks, regardless of their origin, is vital.
In an industry struggling with a cyber skills shortage, the message to double down defenses may sound like an impossible task. But, in the event of a cyberattack, technology like XDR – and particularly when it comes as a managed service - can significantly speed up response and remediation, meaning security teams can focus on critical roles such as activating Critical Event Management systems.
Indeed, BlackBerry found that 63% of IT leaders would like a consolidated event management system for contacting internal security stakeholders and external partners – a critical element in reducing the impact of a potentially devastating supply chain attack. However, less than one in five (19%) have this kind of communications system in place currently. Equally, cyber teams need to work closely with outsourced Incident Response teams if attacks strike. Closer, quicker collaboration tends to secure a far better result.
Finally, advocating for support of new legislation to prevent open-source software from attack is certainly a significant action. But what’s clear is that this is only a fraction of the answer for individual businesses: protecting themselves should be strategy number one.
Trust in yourself – but don’t shy away from support
The threat of cyberattacks through the software supply chain remains imminent. As such, businesses must be planning their prevention and response strategies now.
It’s true that businesses should put their trust in themselves to keep their software safe from hacks – but there’s also no need to become overburdened. Solutions based on the AI technology, backed by professional support on call 24x7 can re-establish confidence in a secure software supply chain.
After all, who would you rather be? One of thousands of companies all hacked at once, or the company that stands its ground with a prevention-first approach in the face of highly sophisticated attacks?
