In August, the White House hosted a meeting with some of the most powerful CEOs in the world; from Apple to JPMorgan. The topic for discussion? The rampant scourge of software supply chain attacks, which has surged by a staggering 650% in 2021.
By Nick Caley, VP of UK and Ireland, ForgeRock
There is no doubt that protecting technology supply chains is now a hot-button issue for companies and governments alike. With one well-placed piece of malicious code, and apparently trusted piece of software can turn into the cyber equivalent of a WMD, allowing hackers to hijack distribution systems and turn a supplier’s customers into digital trojan horses.
With all this attention on the issue, you could be forgiven for thinking this was a new problem. It’s not. Experts have been warning about the threat of these attacks for years.
However, the threat has certainly evolved thanks in part to the acceleration in digital transformation triggered by the pandemic. In 2021, demand for open source “supply” increased by 73%, with developers downloading more than 2.2 trillion open-source packages 2021.
As uptake has grown, so has the threat to businesses. For example, hackers have begun using a technique that goes further upstream toward the origins of the open-source code, essentially meaning that they can infiltrate from top to bottom.
But governments aren’t acting quickly enough. The US and UK have either only begun or are midway through processes to formulate concrete guidance for companies to deal with the evolving threat. With only 12% of U.K. businesses having reviewed the cybersecurity risks posed by third-party software suppliers in the last year, the need for clear direction has never been more urgent.
It’s time for businesses to take the matter into their own hands. Here are the three steps to building a real cyber defense against supply chain threats.
Implement a Framework That Engrains Security as an Organisation-wide Value
In the aftermath of the SolarWinds attack which affected multiple federal US agencies, including the National Nuclear Security Administration, the Biden administration enacted its cybersecurity executive order.
One of the key recommendations from this order was a process for new minimum security standards for any company that wants to sell software to federal agencies. The process is expected to conclude by May 2022 and is anchored by the National Institute of Standards and Technology (NIST), a globally recognized standard-setting body under the U.S. Department of Commerce.
While this process won’t conclude until next year, NIST has published a widely-recognized framework that compiles industry standards and best practices for secure software development.
The new process will be additive to these guidelines but, in the interim, this framework is what companies should use as the basis for their own responses. Essentially, it helps engrain best practices and procedures to secure software development covering people, processes, and projects to identify vulnerabilities, understand risks, and quickly integrate lessons learned.
It is crucial that businesses build trust both internally and externally, with suppliers, customers, and partners. Adopting a common security framework will lay the foundations for strong cybersecurity defense.
Slim Down Your Network of Third-party Software Suppliers
According to Gartner, 60% of organizations are now working with more than 1,000 third parties and 71% of organizations reported working with more organizations than they did before. This number is expected to grow even more in the coming years, underscoring how vast and sprawling software supply chains have become.
To manage this growth businesses need to monitor their third-party network by establishing internal triggers that signal when there is a change in an external relationship. As third-party relationships change, leaders must ensure that firstly the risks are mitigated and secondly the relationships are re-evaluated.
By filtering the pool of external suppliers a company works with, it can streamline the points of contact throughout the digital supply chain, and minimize potential points of ingress for cyberattackers.
Additionally, focusing on a smaller network of suppliers whose processes they trust and understand, will allow a company to review supply chain security more regularly and easily as opposed to, say, just the onboarding and recertification phases.
Often when it comes to software supply chain security, less is more.
Ensure Your Access Tools are Fit for Purpose
Lastly, it’s important to remember that your software systems are only as secure as the access tools you use. Understanding who or what needs access, and under what conditions, is critical to securing internal systems and preventing software supply chain attacks from occurring. The rise of a remote workforce has increased demand for access to new cloud applications, services, and IoT, it is, therefore, crucial that businesses have an identity governance solution that is fit for purpose.
Adding automation to make sure your identity and access management systems are always kept up to date with other changes throughout the business can make a huge difference. Digital supply chains inevitably grow and change as partners and suppliers enter and exit the supply chain. If you are relying on manually managing access requests to reflect these changes, then you are leaving your business exposed to risk through human error. IT and security teams are already stretched, creating conditions where potentially risky entitlements and access requests can slip through the cracks.
This can compound as well and lead to ‘entitlement creep’ across the supply chain as access and roles accumulate within a system, expanding the potential footprint for attackers. Instead, businesses need to harness the ability of AI-powered identity governance solutions. By automating access approvals, AI enables IT and security teams to identify access risks and provide actionable insights to help accelerate the removal of overprivileged accounts while allowing teams to focus on high-risk situations.
Combatting an Exponential Threat
Protecting businesses from crippling software supply chain attacks is now a priority for the whole of the economy. These attacks are so dangerous because they can cause damage far beyond a traditional breach: a compromised supply chain risks exposing thousands of other companies and public sector organizations.
There no longer needs to be a compromise made between user productivity, experience, and robust levels of security. By streamlining their supply chains, implementing secure-by-design software development, and adopting a modern, AI-powered identity governance solution, businesses can take a risk-informed approach and protect themselves while also protecting society at large.
About the Author
Nick Caley is Vice President of UK and Ireland at ForgeRock is responsible for advising global clients in industry and government on security strategy and digital transformation focused on hybrid data architectures and data-driven business models.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.