Managing Security Risks in Supply Chain Digitization

Written by Amanda Johnson, Trustwave

The start of the pandemic reminded us of how critical supply chains are to effective business operations. Shortages on paper goods, disinfectants, and even baking supplies left shelves bare and consumers panicking. To maximize operational efficiencies and consistently deliver on both cost and quality in a timely manner, businesses must evolve their digital transformation journeys to include their supply chains.

As they strive to adapt to the new uncertainty driven by the pandemic, both suppliers and manufacturers are reprioritizing their digital transformation initiatives. Though most have looked to technologies such as data, analytics, IoT, and robotics to drive efficiency, a 2017 McKinsey report noted that the average supply chain only had a digitization level of around 40%, forcing companies to view digitization as a means to decrease vulnerabilities in a disruptive economy.

Unfortunately, there are also risks associated with the digital transformation of your supply chain as well due to new types of attacks. In general, supply chain or third-party attacks originate from risks involving a business partner, vendor, or supplier. These risks can vary greatly – from outsourced managed security services being the victim of a ransomware attack with the bad actors leveraging the connectivity between the managed services company and their clients to infect other organizations, to a trusted software provider getting attacked and transmitting the infected code into multiple organizations, like in the case of SolarWinds.

A hacker group believed to be affiliated with the Russian government gained access to computer systems belonging to multiple US government agencies as well as private enterprises around the world in a months-long campaign that is believed to have started in March of 2020. Hackers compromised the infrastructure of SolarWinds’ Orion software, a network and applications monitoring platform, and used that access to create and distribute “trojanized” malware to users via a software update.

SolarWinds is just the latest example of organizations around the world operating under a perpetual threat of becoming a target of a cyber-attack or the victim of a cybercrime. Recent trends and cybersecurity statistics identified a massive escalation in hacked and breached data that can be traced largely back to the new work environments that are in place as the result of the pandemic, exponentially increasing the number of endpoints that require protection. Growing public awareness of these threats has led to increased oversight from regulators, such as CMMC (Cybersecurity Maturity Model Certification), which requires organizations doing business within the Department of Defense (DoD) supply chain to obtain a third-party certification based on the level of cybersecurity protection the companies have in place.

According to a Ponemon Institute survey conducted in late 2018, more than half of the organizations surveyed reported that they experienced a cybersecurity breach that originated from one of the vendors in their supply chain. The key to addressing the increased risks and threats associated with the digital transformation of your supply chain is by making cybersecurity a top priority and building it into new applications and interconnected devices from the start, in tandem with the implementation of new digital processes.

Perhaps surprisingly, even your trusted suppliers and tools can pose significant threats to the security of your business without their knowledge. Take, for example, the case of a government-required tax software from a trusted third-party vendor that contained hidden malware which opened countless organizations to a flood of vulnerabilities. This specific threat, later identified as GoldenSpy, made it past customers’ endpoint detection and response (EDR) technologies and was only found when SpiderLabs – a group of 250+ threat hunters, ethical hackers, investigators, and researchers at Trustwave, a globally recognized provider of cybersecurity and managed security services—performed a threat hunt for a global organization infected by the malware and discovered the breach.

There is no shortage of surreptitious methods for cybercriminals to infiltrate any part of your digitally transformed supply chain and thinking that protection tools such as EDR will mitigate every threat is, as demonstrated in the GoldenSpy story, short-sighted at best. To thoroughly protect all your data and assets, it is an absolute imperative to employ a layered approach to your security posture; there are always threats that can make their way past even the best protection tools.

Shifting from a prevention only mindset to a layered approach to cybersecurity is paramount to establishing and sustaining the right security framework to detect and mitigate advanced threats before they can occur. To defend against these threats, threat detection and response (TDR) has become one of the most important cybersecurity practices. TDR is the practice of finding and identifying threats within your organizational infrastructure, which includes the added cloud resources required by your supply chain’s digital transformation. Many of these threats will easily evade your first lines of defense—antivirus programs and firewalls, etc.

By focusing solely on security outcomes and eradicating attackers versus providing a buffet menu of services, TDR providers have quickly taken center stage for security organizations battling an expanded attack surface presented by current working conditions that are a result of a global pandemic that catapulted their digital transformation initiatives to top priority.

Yet, many, if not most, organizations around the world are suffering as the result of the skilled worker shortage in cybersecurity and managing a solution like TDR can become cumbersome for a team that’s already stretched thin to manage. With the emergence of MDR (managed detection and response), security teams are no longer left to sort everything on their own. Rather than correlated log alerts directed to your team, MDR is designed to provide specific recommendations to investigate findings and, with more advanced services, remediate the threats on your behalf.

Supply chain digital transformation is proven to drive growth, mitigate risk, and optimize costs. The recent disruptions to supply chains were a reminder of how critical they are in maintaining effective business operations. Despite this critical need, outdated and often-times disconnected manual processes are still the norm, with only 40% having completed their digital transformation, according to a McKinsey report.

As more companies fast-track the digitization of their supply chains, it is imperative to ensure that security postures are advancing as well. Adopting a layered security approach is the best way to keep your business—and your proprietary data—out of the hands of bad actors. And, as a reminder, these bad actors can enter your environment through even the most trusted vendor in your supply chain if their security protocols are not also up to snuff. Protecting your supply chain has never been more challenging, but the protection available has also never been better.



Bio: Amanda Johnson is a Sr. Marketing Manager at Trustwave, a managed security services provider (MSSP) where she leads content generation and tactics for the Americas’ Demand Generation team. Before Trustwave, Amanda has lead marketing and content generation at other technology and channel-based organizations and has also written for other cybersecurity and SaaS-based organizations. Get in touch with her at [email protected] or via LinkedIn.