You’ve heard more about the supply chain in the past two years than you ever expected, or likely wanted. But, as a cybersecurity professional, you now have even more reason to pay attention besides not being able to get your favorite products at the grocery store. The apps used to develop software and run the business could be causing vulnerabilities and even bringing malicious code into your network.

Recent research found that supply chain attacks are rising. The recently released X-Force Threat Intelligence Index 2022 found that the supply chain issues from the pandemic were made worse by the fact that manufacturing was the most attacked industry in North America. 28% of all attacks X-Force remediated were in the manufacturing industry. It unseated finance and insurance as the most attacked industry for the first time in five years. With the increase in smart factories, this trend is likely to continue in the near future, which increases overall risks.

Three Out of Five Companies Targeted

A recent survey by Anchore gives even more insight on the trends. Software supply chain attacks targeted three out of five companies. Only 38% of companies reported that this type of attack did not impact them in 2021.

However, this was just the tip of the iceberg. Not all attacks are equal, with some being major and others are in the rear-view mirror very quickly. It’s easy to assume that many supply chain attacks fell in the minor category. But respondents reported that more than half of the organizations (55%) faced a significant or moderately impactful attack.

The most eye-opening bit of data was that we ended the year on a concerning trend. The highest number of supply chain attacks in 2021 took place in December. This means threat actors had  momentum heading into 2022. Experts think that the increase is likely due to the role of the Log4j vulnerability. If this connection is correct, then the trend of supply chain attacks will likely only continue, and possibly even increase.

However, the attacks did not affect all companies equally. The Anchore survey also found that tech companies were more significantly impacted by these attacks (15%) compared with other industries. Of these, one in four attacks on the supply chain are ransomware, which continues to be a more and more dangerous threat.

How to Reduce Your Vulnerabilities to Supply Chain Attacks

With attacks on the rise, it’s not surprising that organizations focus on preventing supply chain attacks and reducing vulnerabilities. More than half of organizations (54%) now consider supply chain security as a top area of focus. But what does this survey mean for you and your organization? How can you reduce your risk?

First, if you are in the 46% of companies that do not have supply chain attacks as a top priority, you should consider moving it up your list. Next, you should begin taking strategic actions to secure your supply chain and reduce your vulnerabilities. By preparing for potential issues and watching current trends, you can get ahead of these threats.

Five Steps to Reduce Risk

Here are five things to do today to help reduce risk:

  1. Create a software bill of materials (SBOM). The concept of the SBOM is simple: a list of all the components of your software. However, many organizations are not using this cornerstone of software security. More than just a list, this machine-readable inventory shows the dependencies and hierarchies, which helps spot and reduce risks. The Anchore report found that only 36% create SBOMs for software built by the organization. Even fewer (18%) have an SBOM for all apps.
  2. Focus on securing containers. Securing containers ranks among the top three security concerns for 44% of organizations. 89% ranked identifying vulnerabilities in containers as a significant or somewhat significant challenge. One of the biggest challenges is figuring out where to scan for vulnerabilities in the development process. The survey found that 31% ranked this as a ‘top three’ container security concern. By shifting left, meaning moving the task of scanning for vulnerabilities closer to the beginning of the process, you can more quickly and accurately spot issues.
  3. Adopt a zero trust framework. With a zero trust approach, you assume that each device or person requesting access is unauthorized until proven to be trusted. Instead of a single technology, zero trust involves combining several techniques. Microsegmentation, a zero trust concept, is helpful for reducing supply chain damage. Each time access is granted, the person or device can only access the smallest section of the network that they need. If an attacker gets through the security protocols, then the amount of damage they can do is limited. Encryption and two-factor authentication are also cornerstones of zero trust. You can use these to reduce your risk of supply chain attacks.
  4. Focus on open-source projects. Because of the nature of open source, this type of coding project is more open to supply chain attacks. Developers should reduce dependency confusion issues by increasing the visibility and security of libraries, packages and dependencies.
  5. Keep developers informed about supply chain attacks. Set up a process to keep developers up to date on the latest supply chain risks, such as a weekly email or a 10-minute discussion at each department meeting. By keeping them trained and informed on the latest strategies that cyber criminals are using for supply chain attacks, you can prevent future issues.

Both the real and digital world still face many unknown and dramatic shifts. In turn, cybersecurity workers should continue to put supply chain protection first. By using the latest technology and staying up-to-date with the most recent patterns of attacks as well as vulnerabilities, your organization can reduce supply chain risk.

More from Risk Management

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

How the Silk Road Affair Changed Law Enforcement

The Silk Road was the first modern dark web marketplace, an online place for anonymously buying and selling illegal products and services using Bitcoin. Ross Ulbricht created The Silk Road in 2011 and operated it until 2013 when the FBI shut it down. Its creator was eventually arrested and sentenced to life in prison. But in a plot twist right out of a spy novel, a cyber attacker stole thousands of bitcoins from Silk Road and hid them away. It…

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…