Recently, Julia Lopez, the Minister of State for Media, Data and Digital Infrastructure issued a call for views on software resilience and security for organisations. She outlined the importance of collaboration with organisations and businesses as ensuring the safety and protection of consumers and businesses is not something the UK Government can do alone with the methods available, Michael Smith, field CTO, at the app security company Vercara, writes.
Organisations were encouraged to take part in this consultation by sharing their knowledge and insight on best methods of practice surrounding mitigation efforts. Software is imperative to daily life and the way businesses are run which is why it is vital to build digital resilience within the supply chain ecosystem. Additionally, in March NATO and the EU launched a task force on resilience and critical infrastructure protection which focuses on making supply chains more resilient. This is an important step in creating a safer and stronger environment for our society in a time of an evolving threat landscape.
Supply chain attacks
According to Capterra, owned by the analyst house Gartner, 61 per cent of businesses in the US were directly impacted by software supply chain attacks. Additionally, half of the respondents labelled the software supply chain threat as ‘high’ or ‘extreme’. Towards the end of 2022, software supply chain attacks had increased by 600 per cent. In fact, Gartner predicted that by 2025 45 per cent of organisations across the world will have experienced a software supply chain attack, making this a threefold increase since 2021. The State of the Software Supply Chain report found that there has been a 742 per cent rise in software supply chain attacks in the last three years. This outstanding increase in attacks highlights the importance of maximising protection and mitigation efforts.
A recent example of a supply chain attack is following the impacts of the cyber espionage group, Dragonfly, who have targeted the energy sectors of both Europe and North America. Their recent attack involved infecting the industrial control system (ICS) software suppliers by replacing files with malware-infected alternatives. Building a cyber resilient supply chain is amongst the supply chain technology trends for 2023 according to Gartner. However, as companies prioritise maximising the security and protection of its own systems, attackers will find it easier to target its suppliers which can result in catastrophic impacts.
The interconnected nature of modern business
It is important to keep in mind that a supply chain is only as strong as its weakest link and an organisation’s supply chain is not its own. Businesses rely on the UK’s 13 National Critical Infrastructure (NCI), and each rely upon suppliers as well as their suppliers, resulting in a web of interconnection and dependency. Furthermore, the UK 2023 cybersecurity breaches survey revealed that four in ten businesses in the UK outsource their cybersecurity to an external provider. This often means cybersecurity providers will have access to their customer’s internal systems. Though an interconnected system can provide benefits, the dependency within a supply chain ecosystem can mean should there be a cybersecurity incident, it may be beyond the capabilities of a single organisation to manage.
The hunt for minimising effort
Today’s security teams have access to frameworks and guidelines to identify and mitigate risk posed by a service provider. However, to conduct this effectively requires many labour hours, hours that an understaffed cybersecurity industry does not have.
The 2023 UK cybersecurity breaches survey revealed that just over one in ten businesses review the risks they are exposed to from their immediate suppliers and wider supply chain. This survey also highlighted the barriers in place for businesses that prevent or limit its likelihood to review the risks. Factors like lack of budget and time as well as difficulty in obtaining information from the suppliers have been obstacles for business to manage vendor risk. Today, businesses leaders prioritise risk reviews on vendors based on the factors of mission criticality as well as data access and spend time on those that pose the most danger. Additionally, there are other approaches of risk management that consist of standard contract terms and conditions, a controls questionnaire as well as an annual independent third-party assessment.
However, there are ways for organisations to lighten the load of its security teams such as implementing a vendor security management system. Gartner has particularly shed light on cybersecurity trends in 2023, one of which includes cybersecurity platform consolidation which involves organisations using less vendors. In its survey in 2022, Gartner also revealed that 75 per cent of organisations were pursuing vendor consolidation, a significant increase from 29 per cent in 2020. Vendor consolidation is seen to improve efficiency and security as well as reduce complexity for organisations.
Risk transparency is effective cyber
The first step forward should be to focus on ways to enhance efficiency and limit the level of effort for security managers to onboard vendors and implement the right solutions in a timely manner. The second step involves communication. For example, businesses should be notified when an upstream supplier is a victim in a cybersecurity incident. This will enable understanding the impact easier and the appropriate level of response. The third step expands on communication vulnerabilities within the ecosystem as this is critical in conducting risk management. The final step should involve the possession of a two-way flow of vulnerability, risk, and threat information to see the ways in which customers are in danger and how suppliers can build better, more secure products. This facilitates further development and innovation in features and products that will provide protection and safety.
Ultimately, the UK government’s call for views acknowledges the importance of collaboration between the government, organisations, and suppliers as a supply chain attack can pose danger to the entire ecosystem. Building a platform on which they can share their insights can result in the sharing of best methods of protection for the supply chain, making giant steps towards digital resilience.
