You’ve heard more about the supply chain in the past two years than you ever expected, or likely wanted. But, as a cybersecurity professional, you now have even more reason to pay attention besides not being able to get your favorite products at the grocery store. The apps used to develop software and run the business could be causing vulnerabilities and even bringing malicious code into your network.

Recent research found that supply chain attacks are rising. The recently released X-Force Threat Intelligence Index 2022 found that the supply chain issues from the pandemic were made worse by the fact that manufacturing was the most attacked industry in North America. 28% of all attacks X-Force remediated were in the manufacturing industry. It unseated finance and insurance as the most attacked industry for the first time in five years. With the increase in smart factories, this trend is likely to continue in the near future, which increases overall risks.

Three Out of Five Companies Targeted

A recent survey by Anchore gives even more insight on the trends. Software supply chain attacks targeted three out of five companies. Only 38% of companies reported that this type of attack did not impact them in 2021.

However, this was just the tip of the iceberg. Not all attacks are equal, with some being major and others are in the rear-view mirror very quickly. It’s easy to assume that many supply chain attacks fell in the minor category. But respondents reported that more than half of the organizations (55%) faced a significant or moderately impactful attack.

The most eye-opening bit of data was that we ended the year on a concerning trend. The highest number of supply chain attacks in 2021 took place in December. This means threat actors had  momentum heading into 2022. Experts think that the increase is likely due to the role of the Log4j vulnerability. If this connection is correct, then the trend of supply chain attacks will likely only continue, and possibly even increase.

However, the attacks did not affect all companies equally. The Anchore survey also found that tech companies were more significantly impacted by these attacks (15%) compared with other industries. Of these, one in four attacks on the supply chain are ransomware, which continues to be a more and more dangerous threat.

How to Reduce Your Vulnerabilities to Supply Chain Attacks

With attacks on the rise, it’s not surprising that organizations focus on preventing supply chain attacks and reducing vulnerabilities. More than half of organizations (54%) now consider supply chain security as a top area of focus. But what does this survey mean for you and your organization? How can you reduce your risk?

First, if you are in the 46% of companies that do not have supply chain attacks as a top priority, you should consider moving it up your list. Next, you should begin taking strategic actions to secure your supply chain and reduce your vulnerabilities. By preparing for potential issues and watching current trends, you can get ahead of these threats.

Five Steps to Reduce Risk

Here are five things to do today to help reduce risk:

  1. Create a software bill of materials (SBOM). The concept of the SBOM is simple: a list of all the components of your software. However, many organizations are not using this cornerstone of software security. More than just a list, this machine-readable inventory shows the dependencies and hierarchies, which helps spot and reduce risks. The Anchore report found that only 36% create SBOMs for software built by the organization. Even fewer (18%) have an SBOM for all apps.
  2. Focus on securing containers. Securing containers ranks among the top three security concerns for 44% of organizations. 89% ranked identifying vulnerabilities in containers as a significant or somewhat significant challenge. One of the biggest challenges is figuring out where to scan for vulnerabilities in the development process. The survey found that 31% ranked this as a ‘top three’ container security concern. By shifting left, meaning moving the task of scanning for vulnerabilities closer to the beginning of the process, you can more quickly and accurately spot issues.
  3. Adopt a zero trust framework. With a zero trust approach, you assume that each device or person requesting access is unauthorized until proven to be trusted. Instead of a single technology, zero trust involves combining several techniques. Microsegmentation, a zero trust concept, is helpful for reducing supply chain damage. Each time access is granted, the person or device can only access the smallest section of the network that they need. If an attacker gets through the security protocols, then the amount of damage they can do is limited. Encryption and two-factor authentication are also cornerstones of zero trust. You can use these to reduce your risk of supply chain attacks.
  4. Focus on open-source projects. Because of the nature of open source, this type of coding project is more open to supply chain attacks. Developers should reduce dependency confusion issues by increasing the visibility and security of libraries, packages and dependencies.
  5. Keep developers informed about supply chain attacks. Set up a process to keep developers up to date on the latest supply chain risks, such as a weekly email or a 10-minute discussion at each department meeting. By keeping them trained and informed on the latest strategies that cyber criminals are using for supply chain attacks, you can prevent future issues.

Both the real and digital world still face many unknown and dramatic shifts. In turn, cybersecurity workers should continue to put supply chain protection first. By using the latest technology and staying up-to-date with the most recent patterns of attacks as well as vulnerabilities, your organization can reduce supply chain risk.

More from Risk Management

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…