You’ve heard more about the supply chain in the past two years than you ever expected, or likely wanted. But, as a cybersecurity professional, you now have even more reason to pay attention besides not being able to get your favorite products at the grocery store. The apps used to develop software and run the business could be causing vulnerabilities and even bringing malicious code into your network.

Recent research found that supply chain attacks are rising. The recently released X-Force Threat Intelligence Index 2022 found that the supply chain issues from the pandemic were made worse by the fact that manufacturing was the most attacked industry in North America. 28% of all attacks X-Force remediated were in the manufacturing industry. It unseated finance and insurance as the most attacked industry for the first time in five years. With the increase in smart factories, this trend is likely to continue in the near future, which increases overall risks.

Three out of five companies targeted

A recent survey by Anchore gives even more insight on the trends. Software supply chain attacks targeted three out of five companies. Only 38% of companies reported that this type of attack did not impact them in 2021.

However, this was just the tip of the iceberg. Not all attacks are equal, with some being major and others are in the rear-view mirror very quickly. It’s easy to assume that many supply chain attacks fell in the minor category. But respondents reported that more than half of the organizations (55%) faced a significant or moderately impactful attack.

The most eye-opening bit of data was that we ended the year on a concerning trend. The highest number of supply chain attacks in 2021 took place in December. This means threat actors had  momentum heading into 2022. Experts think that the increase is likely due to the role of the Log4j vulnerability. If this connection is correct, then the trend of supply chain attacks will likely only continue, and possibly even increase.

However, the attacks did not affect all companies equally. The Anchore survey also found that tech companies were more significantly impacted by these attacks (15%) compared with other industries. Of these, one in four attacks on the supply chain are ransomware, which continues to be a more and more dangerous threat.

How to reduce your vulnerabilities to supply chain attacks

With attacks on the rise, it’s not surprising that organizations focus on preventing supply chain attacks and reducing vulnerabilities. More than half of organizations (54%) now consider supply chain security as a top area of focus. But what does this survey mean for you and your organization? How can you reduce your risk?

First, if you are in the 46% of companies that do not have supply chain attacks as a top priority, you should consider moving it up your list. Next, you should begin taking strategic actions to secure your supply chain and reduce your vulnerabilities. By preparing for potential issues and watching current trends, you can get ahead of these threats.

Five steps to reduce risk

Here are five things to do today to help reduce risk:

  1. Create a software bill of materials (SBOM). The concept of the SBOM is simple: a list of all the components of your software. However, many organizations are not using this cornerstone of software security. More than just a list, this machine-readable inventory shows the dependencies and hierarchies, which helps spot and reduce risks. The Anchore report found that only 36% create SBOMs for software built by the organization. Even fewer (18%) have an SBOM for all apps.
  2. Focus on securing containers. Securing containers ranks among the top three security concerns for 44% of organizations. 89% ranked identifying vulnerabilities in containers as a significant or somewhat significant challenge. One of the biggest challenges is figuring out where to scan for vulnerabilities in the development process. The survey found that 31% ranked this as a ‘top three’ container security concern. By shifting left, meaning moving the task of scanning for vulnerabilities closer to the beginning of the process, you can more quickly and accurately spot issues.
  3. Adopt a zero trust framework. With a zero trust approach, you assume that each device or person requesting access is unauthorized until proven to be trusted. Instead of a single technology, zero trust involves combining several techniques. Microsegmentation, a zero trust concept, is helpful for reducing supply chain damage. Each time access is granted, the person or device can only access the smallest section of the network that they need. If an attacker gets through the security protocols, then the amount of damage they can do is limited. Encryption and two-factor authentication are also cornerstones of zero trust. You can use these to reduce your risk of supply chain attacks.
  4. Focus on open-source projects. Because of the nature of open source, this type of coding project is more open to supply chain attacks. Developers should reduce dependency confusion issues by increasing the visibility and security of libraries, packages and dependencies.
  5. Keep developers informed about supply chain attacks. Set up a process to keep developers up to date on the latest supply chain risks, such as a weekly email or a 10-minute discussion at each department meeting. By keeping them trained and informed on the latest strategies that cyber criminals are using for supply chain attacks, you can prevent future issues.

Both the real and digital world still face many unknown and dramatic shifts. In turn, cybersecurity workers should continue to put supply chain protection first. By using the latest technology and staying up-to-date with the most recent patterns of attacks as well as vulnerabilities, your organization can reduce supply chain risk.

More from Risk Management

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Roundup: The top ransomware stories of 2024

2 min read - The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate.Here are the biggest ransomware stories of 2024.Ransomware payments reach record highRansomware payments surged to record highs in 2024. In the first half of the year, victims…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today