Share
Facebook Facebook icon Twitter Twitter icon LinkedIn LinkedIn icon Email

Supply chain

Cyber security: how to fortify the software supply chain 

Published 18 July 2023 in Supply chain • 6 min read

Increased IT integration between companies and suppliers has introduced new vulnerabilities. How can organizations prepare for the staggering rise in breaches through third-party vendors? 

When Zellis, the UK payroll provider, disclosed a security breach in June, the issue extended beyond the company itself. The hackers also gained access to Zellis’s customers – including British Airways, Boots, and the BBC – and stole personal data belonging to tens of thousands of their employees.  

This external breach is not an isolated event by any means. According to cybersecurity group Sophos, approximately 20% of British organizations experienced data breaches by external attackers in 2022, making it vital for companies to identify and assess potential risks within their software supply chain. 

It’s a growing challenge for organizations around the world, not just in the UK. In 2021, cyber security technology company CrowdStrike reported a staggering 430% increase in attacks through supply chains globally.  

It comes amid a trend towards increased outsourcing and IT integration between companies and suppliers. This creates new opportunities for hackers to breach entire ecosystems with just one attack, creating a “domino effect” which can ensnare more victims. Zellis, for one, counts among its clients nearly half of companies in the FTSE 100 stock market index.  

By providing training on how to identify these attacks, employees can become more vigilant and less likely to fall for deceptive tactics such as phishing emails (which trick them into revealing sensitive information like login credentials, often by posing as trusted organizations).

This should serve as a warning for organizations of all kinds. Building cyber resilience should no longer be restricted to the confines of your own company; organizations ought to consider the security of their software vendors, too, through the following steps. 

Set tough security standards for new suppliers  

The first step is for organizations to establish robust security requirements and standards for new software suppliers. All too often, security is an afterthought, but it should be part of the early conversation about any new business deal. This reduces the risk of engaging with suppliers that may pose significant cybersecurity risks, ultimately helping organizations to mitigate the potential of a breach through the software supplied by third-party vendors. 

Make employees a valuable line of defense  

One important question to ask suppliers is whether their employees go through cyber-security training, which is critical to protect against attacks on the supply chain. Most of these breaches occur as a consequence of human error. By providing training on how to identify these attacks, employees can become more vigilant and less likely to fall for deceptive tactics such as phishing emails (which trick them into revealing sensitive information like login credentials, often by posing as trusted organizations). 

The training needs to go beyond encouraging employees to use strong passwords that contain numerous characters, numbers, and symbols so they’re harder to crack; staff should understand how hackers operate, too. If they’re aware of the tactics, techniques, and tools employed, workers can recognize potential threats before it’s too late. This will make them a valuable line of defense.  

Business leaders: stay informed  

The training should not be limited to lower levels of the workforce. Top executives should be improving their “threat intelligence” or gathering and analyzing data from various sources to better comprehend hackers’ targets, motivations, and methods.  

“Another key question to ask suppliers is their approach to patches and upgrades, which are used to address known vulnerabilities in software.”

Those data sources include strategic intelligence about long-term trends and the broader threat landscape, such as state-sponsored hackers, a growing menace. Companies can also monitor the dark web, a hidden corner of the internet where cyber gangs operate, sell stolen data, and exchange malicious tools and services. This will help leaders stay informed and detect risks early.   

Promptly apply patches and upgrades  

Another key question to ask suppliers is their approach to patches and upgrades, which are used to address known vulnerabilities in software. Hackers search for weaknesses or flaws that can be exploited. Patches and upgrades are designed to close these security gaps, but all too often companies do not prioritize security upgrades, as they become complacent. Applying these promptly helps minimize the window of opportunity for attackers. 

Deploy technology for threat detection  

Beyond that, companies can use technology to monitor their software supply chain for potential vulnerabilities or threats, such as systems that continuously monitor and protect organizations’ custom and third-party software assets.  

Many companies already use threat detection systems but they can be highly sensitive, sending alerts for false positives. A report from cybersecurity company Critical Start found that 70% of security analysts are investigating more than 10 alerts each day, with a false-positive rate of 50% or higher. It’s up to organizations, however, to take them seriously and conduct further investigations.  

While deploying such technology and establishing a culture of collaboration with software suppliers are two strategies to help organizations proactively identify and prevent potential security incidents, they’re unlikely to stop every attack. Organizations, therefore, need to always be prepared for a breach they hope never occurs.  

Adopt a zero-trust security model   

One way to limit the potential impact of security breaches is to deploy “zero trust architecture”. So rather than presuming the safety of everything within the corporate firewall, the zero-trust model treats each request to access the network as a breach that requires authentication and authorization. It also segments the network into smaller zones to minimize the potential for lateral movement by hackers in case a breach does occur.  

Cybersecurity is not the sole responsibility of IT professionals; it requires involvement from numerous departments including legal, public affairs, and operations.

There are other steps that companies can take to limit the damage from a cyber-attack and restore normal operations. They include working out the nature and extent of the breach and then isolating affected systems to limit the spread of the attack while preserving evidence for forensic analysis. 

Involve cybersecurity experts  

It’s also important to involve cybersecurity experts, who possess the necessary expertise and experience to assess the impact, identify weak spots, and deploy countermeasures. But the entire executive committee must be involved in the process. Cybersecurity is not the sole responsibility of IT professionals; it requires involvement from numerous departments including legal, public affairs, and operations.  

Come clean to stakeholders  

Lastly, it’s important for companies to come clean and keep their stakeholders – employees, customers, partners, regulators – informed about the breach. The aim should be to ensure transparency while protecting sensitive information. With the number of cyber incidents rising, the potential reputational damage that comes from poorly managing an attack is significantly higher than actually being breached. 

Given the continuous increase in IT integration between companies and suppliers, it’s become imperative to establish robust security protocols along the software supply chain. Though due diligence, training and development, patches and upgrades, technology and monitoring, and zero trust architecture are useful tools in the fight against hackers, the fight for our supply chains is far from won. 

 

Authors

Oyku Isik IMD

Öykü Işık

Professor of Digital Strategy and Cybersecurity at IMD

Öykü Işık is Professor of Digital Strategy and Cybersecurity at IMD, where she leads the Cybersecurity Risk and Strategy program. She is an expert on digital resilience and the ways in which disruptive technologies challenge our society and organizations. Named on the Thinkers50 Radar 2022 list of up-and-coming global thought leaders, she helps businesses to tackle cybersecurity, data privacy, and digital ethics challenges, and enables CEOs and other executives to understand these issues.

Related

Learn Brain Circuits

Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
 
Read more 

Explore Leadership

What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
 
Read more

Join Membership

Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
 
Sign up
X

Log in or register to enjoy the full experience

Explore first person business intelligence from top minds curated for a global executive audience