SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Palo Alto says supply chain is cybersecurity’s weakest link
Fri, 18th Jan 2019
FYI, this story is more than a year old

Cybercriminals will often scour over a company's digital fortress, seeking for a weak point to exploit.

And according to Palo Alto Networks, the weakest link is the supply chain, as organisations can't always control the security measures taken by supply chain partners.

Effectively this creates a hole that cybercriminals can capitalise on by first infiltrating the supply partner to then exploit other members in the chain.

Palo Alto Networks vice president and chief security officer Sean Duca says in light of this, it's vital partners are aware of this risk and act to protect each other.

"Supply chain organisations are targeted because they often aren't as aware of potential threats and may not have adequate resources to manage security to a high level,” says Duca.

“Bad actors often start small, waiting in systems for years before striking the target organisation where it's weak."

Duca says software supply chain attacks are pernicious because they violate the basic trust between software provider and consumer, with hackers evading traditional defences to jeopardise software and delivery processes.

The end result of this is companies using the corrupted software can find themselves victims to ransomware attacks, proprietary information theft, and commercial sabotage.

"Organisations are increasingly interconnected and, while this provides a variety of business benefits, it also comes with security risks. Cybercriminals are very aware of these connections and are using them to access networks that are otherwise well-protected,” says Duca. "In today's world of Internet of Things (IoT), digital buyer-seller relationships, and robotic process automation, vulnerabilities to cyber damage are increasing. Businesses may have security tools and protection in place but need to ask whether their suppliers, and their suppliers' suppliers, and so on down the value chain, have the same kind of protection."

Taking all this in account, Palo Alto Networks has provided three key ways to secure the supply chain.

1. Review internal and external security procedures: It's vital for businesses to not only review their own internal infrastructure, but also vendors' and partners'. Any new vendors or partners should undergo a thorough vetting process before full integration.

2. Establish written security guidelines and controls: Via a written agreement, organisations should require suppliers to adhere to processes and protocols that minimise the likelihood of attacks (for example, cybercriminals using a supplier's website to host malware).

3. Training/sharing security best practices with staff and vendors: Human error is still by far and away the primary source of data breaches, which means it's crucial for organisations to train all staff in security best practices.

"Organisations mustn't overlook the risks posed by their supply chain when it comes to protecting company and customer information,” says Duca.

“Cybercriminals will look for every vulnerability to attack an organisation so it's essential to close every gap, down to the last link in the supply chain."