5 cybersecurity risks and challenges in supply chain

Supply chains are a potential playground for hackers.

Due to complexity and the inherent reliance on partners, supply chains are rife with cybersecurity risks and challenges. CISOs and CIOs must relinquish the idea that supply chain partners’ security problems won’t affect their company and take action to protect their company’s supply chain security.

Many of the top security risks to supply chains are specific methods used by attackers, such as social engineering, ransomware, stolen login credentials, and compromised software. However, carelessness by security leaders, including neglecting system testing, is also a major security problem for many companies’ supply chains. Leaders must address security issues and not just assume their security efforts are working as intended.

Learn more about the top supply chain cybersecurity risks and how to address them.

The 5 top supply chain cybersecurity risks

Supply chain attacks can come in many forms, but these are the risks about which cybersecurity leaders should be most concerned. Companies and companies’ supply chain partners can both be affected by these issues, which can create major supply chain problems because of partners’ shared data.

Here are the top risks that security leaders should be aware of.

1. Social engineering

Social engineering is arguably one of the easiest exploits for attackers to pull off.

Attackers convince users to provide their login credentials, facilitating the installation of malware or access to sensitive information. Social engineering attacks can take place via phishing, smishing, in-person contact or social media.

Companies often attempt to address this threat with user security education, but employees still frequently fall for these tactics, making it a major supply chain risk.

2. Stolen login credentials

Criminals can launch attacks once they’ve secured login credentials for the network domain, applications, and databases from those with access.

Exposure of login credentials can occur in many ways. Social engineering, specifically phishing, can lead to users handing over their login credentials, and malware, otherwise known as keyloggers, can track the keystrokes made on a computer and seize passwords that way.

Attackers can also look on the deep web for exposed login credentials for a certain company. In some cases, they are able to uncover full credential pairs that allow full access into systems via single sign-on capabilities as well as anything tied to those systems.

3. Compromised software

Attackers often inject malicious code into third-party software libraries that are integrated into a vendor’s supply chain environment. When these issues occur, third-party vulnerabilities become the vulnerabilities of their partners as well.

These software compromises can take place in various ways. For example, a user might post an encryption secret key online, or attackers might upload malicious code into public repositories.

Compromised software could also come in the form of users unintentionally putting vulnerable code into production, which introduces vulnerabilities such as SQL injection, which can further facilitate attacks.

4. Lack of system oversight and maintenance

Some of the biggest facilitators of supply chain attacks are improper security testing, poor vulnerability and patch management, and account reuse, which is employees using their business login credentials for personal websites.

These aspects of security are also extremely difficult to get under control in the enterprise. Cybersecurity leaders must acknowledge these gaps in their company’s security program and properly address them, including educating users about the dangers of reusing passwords and implementing regular testing.

5. Ransomware

Ransomware is arguably the worst threat to a supply chain.

When ransomware locks down critical systems, it halts business transactions and puts any associated files and databases at risk. Ripple effects can include information loss due to lack of backups or full company data exposure caused by criminals siphoning information off a network and sharing it online.

These ripple effects can end up harming all downstream business.

3 ways to address supply chain cybersecurity risks

These steps can help cybersecurity leaders determine their company’s third-party risks and build up their own business resilience.

1. Determine how third-party risks can affect company operations

Extra vigilance is required for vendors and business partners, and leaders tend to assume that third-party security risks are only that partner’s problem, which is not true.

A company can only do so much about its third-party supply chain vendors’ security vulnerabilities, as leaders can’t force their vendors to make changes. Leaders can decide to no longer do business with a vendor because of their lack of security, but that decision might not be possible if the vendor is a good business fit for other reasons. For example, a vendor might be the only supplier of a certain machine part in the surrounding area.

The best course of action is to acknowledge partners’ security problems yet build up the company’s operational, network, and people resilience so the impact is as minimal as possible if a vendor does experience a security incident. Tools like security questionnaires and contractual language can minimize third-party risks, but security leaders should still prepare for attacks on their company’s partners.

Security leaders should perform tabletop exercises with organizational stakeholders that walk through scenarios such as a certain vendor’s network going offline or exposure of company information. Planning is key so leaders will be ready when real-world scenarios occur.

2. Perform security assessments

Failing to properly carry out security assessments is a common issue, no matter the size of the organization. Cybersecurity leaders must work on these challenges before a crisis hits and everyone is in reaction mode.

Overall security issues vary by company. Some organizations must improve their vulnerability management, while others must improve their network visibility and incident response.

Some of the most frequently neglected steps for security assessments include failing to test all network hosts and applications, failing to test them from all angles, and failing to test them with the right tools. This lack of attention to security assessments leads to supply chain exploits.

3. Measure security successes and failures

Cybersecurity metrics can help establish areas where a company is succeeding at cybersecurity as well as issues that still need to be addressed.

Every company’s metrics will be different, but a detailed information risk assessment and some candid conversations with security committee members will reveal the areas that are most important to measure.

Some common cybersecurity metrics are patching cadence, or the cadence of vendors’ security patches and the speed of their implementation; preparedness level, which measures how prepared a company is for various types of attacks; and mean time to resolve, or the mean of the amount of time that a company takes to respond to an incident.

Kevin Beaver is an independent information security consultant, writer and professional speaker with Atlanta-based Principle Logic, LLC. With more than 30 years of experience in the industry, Kevin specializes in performing vulnerability and penetration tests as well as virtual CISO consulting work.