You’ve heard more about the supply chain in the past two years than you ever expected, or likely wanted. But, as a cybersecurity professional, you now have even more reason to pay attention besides not being able to get your favorite products at the grocery store. The apps used to develop software and run the business could be causing vulnerabilities and even bringing malicious code into your network.

Recent research found that supply chain attacks are rising. The recently released X-Force Threat Intelligence Index 2022 found that the supply chain issues from the pandemic were made worse by the fact that manufacturing was the most attacked industry in North America. 28% of all attacks X-Force remediated were in the manufacturing industry. It unseated finance and insurance as the most attacked industry for the first time in five years. With the increase in smart factories, this trend is likely to continue in the near future, which increases overall risks.

Three out of five companies targeted

A recent survey by Anchore gives even more insight on the trends. Software supply chain attacks targeted three out of five companies. Only 38% of companies reported that this type of attack did not impact them in 2021.

However, this was just the tip of the iceberg. Not all attacks are equal, with some being major and others are in the rear-view mirror very quickly. It’s easy to assume that many supply chain attacks fell in the minor category. But respondents reported that more than half of the organizations (55%) faced a significant or moderately impactful attack.

The most eye-opening bit of data was that we ended the year on a concerning trend. The highest number of supply chain attacks in 2021 took place in December. This means threat actors had  momentum heading into 2022. Experts think that the increase is likely due to the role of the Log4j vulnerability. If this connection is correct, then the trend of supply chain attacks will likely only continue, and possibly even increase.

However, the attacks did not affect all companies equally. The Anchore survey also found that tech companies were more significantly impacted by these attacks (15%) compared with other industries. Of these, one in four attacks on the supply chain are ransomware, which continues to be a more and more dangerous threat.

How to reduce your vulnerabilities to supply chain attacks

With attacks on the rise, it’s not surprising that organizations focus on preventing supply chain attacks and reducing vulnerabilities. More than half of organizations (54%) now consider supply chain security as a top area of focus. But what does this survey mean for you and your organization? How can you reduce your risk?

First, if you are in the 46% of companies that do not have supply chain attacks as a top priority, you should consider moving it up your list. Next, you should begin taking strategic actions to secure your supply chain and reduce your vulnerabilities. By preparing for potential issues and watching current trends, you can get ahead of these threats.

Five steps to reduce risk

Here are five things to do today to help reduce risk:

  1. Create a software bill of materials (SBOM). The concept of the SBOM is simple: a list of all the components of your software. However, many organizations are not using this cornerstone of software security. More than just a list, this machine-readable inventory shows the dependencies and hierarchies, which helps spot and reduce risks. The Anchore report found that only 36% create SBOMs for software built by the organization. Even fewer (18%) have an SBOM for all apps.
  2. Focus on securing containers. Securing containers ranks among the top three security concerns for 44% of organizations. 89% ranked identifying vulnerabilities in containers as a significant or somewhat significant challenge. One of the biggest challenges is figuring out where to scan for vulnerabilities in the development process. The survey found that 31% ranked this as a ‘top three’ container security concern. By shifting left, meaning moving the task of scanning for vulnerabilities closer to the beginning of the process, you can more quickly and accurately spot issues.
  3. Adopt a zero trust framework. With a zero trust approach, you assume that each device or person requesting access is unauthorized until proven to be trusted. Instead of a single technology, zero trust involves combining several techniques. Microsegmentation, a zero trust concept, is helpful for reducing supply chain damage. Each time access is granted, the person or device can only access the smallest section of the network that they need. If an attacker gets through the security protocols, then the amount of damage they can do is limited. Encryption and two-factor authentication are also cornerstones of zero trust. You can use these to reduce your risk of supply chain attacks.
  4. Focus on open-source projects. Because of the nature of open source, this type of coding project is more open to supply chain attacks. Developers should reduce dependency confusion issues by increasing the visibility and security of libraries, packages and dependencies.
  5. Keep developers informed about supply chain attacks. Set up a process to keep developers up to date on the latest supply chain risks, such as a weekly email or a 10-minute discussion at each department meeting. By keeping them trained and informed on the latest strategies that cyber criminals are using for supply chain attacks, you can prevent future issues.

Both the real and digital world still face many unknown and dramatic shifts. In turn, cybersecurity workers should continue to put supply chain protection first. By using the latest technology and staying up-to-date with the most recent patterns of attacks as well as vulnerabilities, your organization can reduce supply chain risk.

More from Risk Management

What Telegram’s recent policy shift means for cyber crime

4 min read - Since its launch in August 2013, Telegram has become the go-to messaging app for privacy-focused users. To start using the app, users can sign up using either their real phone number or an anonymous number purchased from the Fragment blockchain marketplace. In the case of the latter, Telegram cannot be linked to the user’s real phone number or any other personally identifiable information (PII).Telegram has also long been known for its hands-off moderation policy. The platform explicitly stated in its…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today