With organizations increasingly going digital, supply chain attacks have become a growing concern in the era of hybrid work. A single hack has the potential to cause a chain effect of security breaches, affecting thousands of devices at the same time. During the pandemic, as businesses transitioned to working remotely and sharing company data across the cloud, they unwittingly widened an attack surface that made them more susceptible to supply chain threats. Working from home, employees access internal networks via a slew of devices—some personal, some business-owned—that may be vulnerable to malware.
Unfortunately, supply chain attacks aren’t going anywhere. A recent survey found that 64% of large enterprises were hit by a supply chain attack in the past year, and around the same number have made securing the software supply chain a top initiative for 2022. As organizations re-evaluate the way they work, they must also rethink their security posture and the tools they are utilizing to meet the new demands of hybrid work.
Supply chain attacks are not always detectable, and many organizations may not even be aware of the threats posed by their devices. There are several reasons why this visibility is difficult to achieve. For starters, a computing system is typically composed of multiple components from different manufacturers, each with its own level of scrutiny in relation to supply chain attacks. It’s not always easy to ensure integrity across all stages of a device’s lifecycle. Moreover, today’s supply chains are increasingly complex, expanding across international borders and optimized for speed and cost. Devices trade hands many times before they reach the consumer, passing through diverse component suppliers, subsystem manufacturers, integrators and original equipment manufacturers (OEMs). Some of these devices may even be modified along the way. With so many changes during this transfer, how can organizations know whether the devices they rely on day-to-day are up to date and secure?
What organizations and IT vendors can (and should) do
In today’s connected world, everyone—from device manufacturers to consumers—has a responsibility to improve cybersecurity by working together. Companies must seek out vendors that can provide security assurance, as well as realize the need to upgrade their security posture to maintain customer trust and prevent cyber disasters.
The more informed an organization is about its devices, the stronger its supply chain security posture will be. As such, it’s important for organizations to be knowledgeable about the devices they trust with sensitive data. If you have a PC, for example, are you sure the device has not been altered in any way in the journey from the manufacturer to you? Are you aware of what firmware, BIOS and drivers are loaded onto the device? Do you know if any new exploits have been discovered for the various elements of your platform? This knowledge may seem daunting to manage and maintain, but in the new world of supply chain attacks, it is now table stakes for keeping your business safe.
IT vendors should hold transparency to the highest degree by making this information accessible to customers. For example, manufacturers can provide system and component level traceability on their devices that link back to the Trusted Platform Module (TPM) on their PC and laptops. Platform certificates can also provide digital proof of product origin, giving customers insight into where their devices came from.
Vendors should also invest significantly in ongoing security research to help keep their platforms safe from ever-evolving threats. By regularly providing security patches for newly discovered vulnerabilities, platforms can be protected against the latest attacks. It is critical that customers know that they must regularly update their platforms with the latest security updates from their device manufacturer. Updating devices 2-3 times per year is the new normal to help protect against security attacks. By working together to ensure that all devices are up to date, organizations and vendors are less likely to fall prey to attacks from threat actors.
Looking ahead to zero trust
Transparency and diligence are only part of the solution—as attackers get savvier, the industry also has to respond in ways to make supply chain attacks more difficult to carry out.
Two words come to mind when we think about the future of securing confidential assets—Zero Trust, an “assume a breach” approach to shoring up cyber defenses. With a Zero Trust model, IT teams are constantly authenticating every request for access and making sure that all credentials are properly validated.
In other words, Zero Trust means that no one is trusted by default from inside or outside the network, and verification is required from employees trying to gain access to network resources.
Zero Trust doesn’t stop at the software level, either; it can be applied from the silicon-up. By leveraging the principle of least privilege, whereby users are granted the minimum level of access rights necessary for them to do their job, organizations can be less concerned about where their employees are working, and on what devices. This is especially important as an estimated 62% of supply chain attacks exploit the customer’s trust of their supplier.
As the future of work becomes increasingly hybrid, tech innovation will no doubt be a key element to stemming the spread of cyberattacks. By continuing to push for greater transparency in the industry, implementing security best practices within organizations and adopting a Zero Trust mindset, everyone can be better prepared to return to work safely and securely—no matter how daunting supply chain attacks may appear.