For years – the financial services, energy and healthcare industries have been spotlighted as the most vulnerable to cyberattacks. But in light of the pandemic and recent dramatic increases in ransomware, these susceptible sectors have been joined by small businesses, government, education and the supply chain. The attack and takedown of any of these industries would and have been catastrophic to critical infrastructures.
The supply chain, for example, is a vital lifeline to every organization – regardless of size, and a sector that was front and center during the peak of COVID-19. With lockdowns, travel restrictions, demands outweighing resources, and the overall burden to deliver the medical supplies and necessities to keep nations alive, the supply chain quickly became one of the biggest drivers behind mass economic disruption. Nine months later, the sector suffered another blow – this time, as the victim of the worst cyber-espionage incident in the U.S – the SolarWinds attack.
Despite SolarWinds serving as a wake-up call, 2021 saw numerous sophisticated supply chain attacks such as Codecov, Kaseya, Click Studios that prompted 29,000 customers to change their passwords, and the most recent Log4j vulnerability. Unfortunately, the supply chain hasn’t bounced back, and is still seeing major delays, impacts to infrastructure and operations, and more attempted cyber attacks. As governments work to establish steadfast regulations to protect networks, more needs to be done to safeguard information and communications technology – the backbone of any organization. In short, we need to remove the vulnerabilities.
Why supply chain? Where are the weaknesses?
Supply chain cyberattacks are no longer a one-off, bullseye hit. In today’s digital world, a breach can overwhelm and potentially wipe out global economies. As we all know, the supply chain has multiple touchpoints with manufacturers, suppliers, distributors and other providers; and it is this sequential changing of hands that happens throughout the process that makes it appealing to cybercriminals. The more touchpoints, the more opportunities for attack.
In a fully digital world, how does that holistic security happen? Well as it currently stands, it isn’t happening at all. Typically, throughout supply chain processes, there is simply an implicit level of trust – all the way down to the consumer – that isn’t necessarily supported by any true verification. For instance, a consumer receives an email from a “trusted” vendor relaying information about a product’s shipping date and the consumer simply trusts it, with no way to guarantee its origin. This happens all the time, sometimes on a much larger scale.
For instance, what happened with SolarWinds was very similar in nature, but again, more impactful. A bad actor managed to insert code into SolarWinds’ product years beforehand and naturally, overseers believed it was acted by a trusted employee, so therefore weren’t aware of the potential repercussions. In the end, the breach affected 27,000 businesses. In the case of Click Studios, the culprit was a malicious software update designed to steal “secrets”. In these scenarios, and most others like it, we prove intent, and credibility based on traditional user verification mechanisms – which ultimately come down to a password. The password to the system at SolarWinds that packaged their software (and that was available to 27,000 businesses) was none other than: SolarWinds123.
So how do we fix this?
In short, the answer is simple: change the process. According to HYPR’s 2022 State of Passwordless Security report, 64% of organizations that were hacked did not enhance or improve their password-based authentication controls following the attack.
The key to changing the overall process lies within proof of tamper-resistance; and how we do that with technology today is through cryptographic signatures. Similar in concept as to when we moved from swiping a credit card to having a chip, cryptographic signatures use public key algorithms to provide data integrity (or, in layman’s terms, prove the sender is legitimate).
Ultimately, the best way to eliminate the opportunity for tampering lies within a passwordless approach. Organizations are grappling to implement a solid security strategy to meet regulations, and to ensure customer confidence, all while responding to a forever-hovering pandemic that’s leaving their teams understaffed and overworked; but are continuing to work within a strategy that has failed thousands (read: millions) of times over.
The slow but sure uptick in awareness around the need to surpass password-based multi-factor authentication is working, but not nearly quickly enough, as organizations continue to roll out their Zero Trust programs, we can expect passwordless multi-factor authentication to be a critical component of any security framework.