According to research by cybersecurity company Argon, supply chain attacks more than tripled in 2021. If one takes even a cursory glance at the news, that isn’t particularly difficult to believe. To say that the past year has been troubling from a security perspective would be putting it very lightly.
Starting with the disclosure of the Solarwinds breach at the end of 2020, last year shone a stark light on the vulnerability and instability of the supply chain. We saw breach after breach and vulnerability after vulnerability, from the Colonial Pipeline attack to the devastating Log4Shell exploit. Amidst the chaos, one message became abundantly clear—as far as cybersecurity is concerned, this is the new normal.
And anyone who cannot adjust is going to have a very bad time.
The Supply Chain is the Perfect Target
Criminals will always choose the path of least resistance. This is something that’s held true even before the Internet existed. And in an age defined by sprawling, impossibly vast attack surfaces and interconnected networks of vendors and partners, the path of least resistance is your supply chain.
It’s not especially difficult to understand why, either.
As Infosecurity Magazine put it, the mentality can best be summed up as hack one, breach many. A major corporation may contain a wealth of valuable data, but breaking past its well-funded security solutions is no mean feat. A supplier, on the other hand?
Targeting them may give you backend access to thousands, perhaps even tens of thousands of businesses. Worse still, this kind of attack usually stymies traditional detection. Because most businesses implicitly trust their supply chain partners, they represent the perfect access point.
That needs to change.
Readying Yourself for the New Normal of Supply Chain Threats
So what exactly can you do about all of this?
First and foremost, adopt a zero trust approach to everything. It doesn’t matter if you’ve known a particular supplier for decades. It doesn’t matter if you’re personal friends with the CEO of a business partner.
No one gets special treatment under a zero trust framework, not even you. Everyone, no matter who they are, must authenticate and continuously validate their identity. And every user, device, and entity on your network should be continuously monitored, ideally with the assistance of artificial intelligence.
Second, you need a process in place for assessing the security posture and practices of vendors, both current and prospective. There are many ways one might achieve this, from deploying a lightweight cybersecurity client to business partners to leveraging a proactive threat intelligence and security management tool.
Supply chain attacks aren’t going away. They are only going to increase in frequency, particularly as businesses continue to outsource and relationships between vendors and suppliers become more interconnected. It’s imperative that you acknowledge this and take the necessary precautions to protect yourself.
Otherwise, you might well be directly involved in the next major breach.