You’ve heard more about the supply chain in the past two years than you ever expected, or likely wanted. But, as a cybersecurity professional, you now have even more reason to pay attention besides not being able to get your favorite products at the grocery store. The apps used to develop software and run the business could be causing vulnerabilities and even bringing malicious code into your network.

Recent research found that supply chain attacks are rising. The recently released X-Force Threat Intelligence Index 2022 found that the supply chain issues from the pandemic were made worse by the fact that manufacturing was the most attacked industry in North America. 28% of all attacks X-Force remediated were in the manufacturing industry. It unseated finance and insurance as the most attacked industry for the first time in five years. With the increase in smart factories, this trend is likely to continue in the near future, which increases overall risks.

Three Out of Five Companies Targeted

A recent survey by Anchore gives even more insight on the trends. Software supply chain attacks targeted three out of five companies. Only 38% of companies reported that this type of attack did not impact them in 2021.

However, this was just the tip of the iceberg. Not all attacks are equal, with some being major and others are in the rear-view mirror very quickly. It’s easy to assume that many supply chain attacks fell in the minor category. But respondents reported that more than half of the organizations (55%) faced a significant or moderately impactful attack.

The most eye-opening bit of data was that we ended the year on a concerning trend. The highest number of supply chain attacks in 2021 took place in December. This means threat actors had  momentum heading into 2022. Experts think that the increase is likely due to the role of the Log4j vulnerability. If this connection is correct, then the trend of supply chain attacks will likely only continue, and possibly even increase.

However, the attacks did not affect all companies equally. The Anchore survey also found that tech companies were more significantly impacted by these attacks (15%) compared with other industries. Of these, one in four attacks on the supply chain are ransomware, which continues to be a more and more dangerous threat.

How to Reduce Your Vulnerabilities to Supply Chain Attacks

With attacks on the rise, it’s not surprising that organizations focus on preventing supply chain attacks and reducing vulnerabilities. More than half of organizations (54%) now consider supply chain security as a top area of focus. But what does this survey mean for you and your organization? How can you reduce your risk?

First, if you are in the 46% of companies that do not have supply chain attacks as a top priority, you should consider moving it up your list. Next, you should begin taking strategic actions to secure your supply chain and reduce your vulnerabilities. By preparing for potential issues and watching current trends, you can get ahead of these threats.

Five Steps to Reduce Risk

Here are five things to do today to help reduce risk:

  1. Create a software bill of materials (SBOM). The concept of the SBOM is simple: a list of all the components of your software. However, many organizations are not using this cornerstone of software security. More than just a list, this machine-readable inventory shows the dependencies and hierarchies, which helps spot and reduce risks. The Anchore report found that only 36% create SBOMs for software built by the organization. Even fewer (18%) have an SBOM for all apps.
  2. Focus on securing containers. Securing containers ranks among the top three security concerns for 44% of organizations. 89% ranked identifying vulnerabilities in containers as a significant or somewhat significant challenge. One of the biggest challenges is figuring out where to scan for vulnerabilities in the development process. The survey found that 31% ranked this as a ‘top three’ container security concern. By shifting left, meaning moving the task of scanning for vulnerabilities closer to the beginning of the process, you can more quickly and accurately spot issues.
  3. Adopt a zero trust framework. With a zero trust approach, you assume that each device or person requesting access is unauthorized until proven to be trusted. Instead of a single technology, zero trust involves combining several techniques. Microsegmentation, a zero trust concept, is helpful for reducing supply chain damage. Each time access is granted, the person or device can only access the smallest section of the network that they need. If an attacker gets through the security protocols, then the amount of damage they can do is limited. Encryption and two-factor authentication are also cornerstones of zero trust. You can use these to reduce your risk of supply chain attacks.
  4. Focus on open-source projects. Because of the nature of open source, this type of coding project is more open to supply chain attacks. Developers should reduce dependency confusion issues by increasing the visibility and security of libraries, packages and dependencies.
  5. Keep developers informed about supply chain attacks. Set up a process to keep developers up to date on the latest supply chain risks, such as a weekly email or a 10-minute discussion at each department meeting. By keeping them trained and informed on the latest strategies that cyber criminals are using for supply chain attacks, you can prevent future issues.

Both the real and digital world still face many unknown and dramatic shifts. In turn, cybersecurity workers should continue to put supply chain protection first. By using the latest technology and staying up-to-date with the most recent patterns of attacks as well as vulnerabilities, your organization can reduce supply chain risk.

more from Risk Management

A Response Guide for New NSA and CISA Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) recently published a report highlighting a range of critical security vulnerabilities requiring attention from organizations of all types. The report was published with input from the National Security Agency (NSA) and similar agencies worldwide. It should be considered essential reading.  Many of the vulnerabilities in the report are not new. Instead, the report…