Supply chain cyber-attacks are on the rise. Is your organization prepared?

A new report from ReversingLabs confirmed what we all knew was inevitable: software supply chains will increase in 2023. While alarming, it’s a trend that has been at least two years in the making – a period in which we’ve seen countless attacks on companies and their vendors.

The most often referenced supply chain attack occurred in 2020, when hackers infiltrated SolarWinds, a Texas technology company, and accessed private government and corporate data. From a single point of entry along the supply chain, the cybercriminals managed to retrieve a wide range of sensitive information from multiple points of origin, setting off a new cybercrime trend. The supply chain.

It’s time for greater supply chain scrutiny

With any new offensive move comes the need for stronger defense. Governmental agencies and organizations are more motivated than ever to ensure the security of their supply chains. This has sparked greater scrutiny into the vendors who deliver services, store data and exchange information, and in the age of digital dependencies, this increasing cyber maturity is much needed.

Thanks to media coverage, we are well-versed in the consequences of such cyber-attacks by now – from reputational to monetary. We have learned that companies must prioritize security not just within their own walls now but also within the vast sphere in which they operate. And, as we have learned from PwC, as many as 50% of under-prepared companies that are attacked never recover.

Preparation and resilience-building are key to business continuity in the event of a cyberattack

This also applies to the supply chain. Companies must take steps to ensure that vendors comply with laws and regulation and work to protect your data as if it were their own (or better). However, chances are, this won’t happen on its own. That’s where organizations need to take greater action.

It’s time to take a few steps to ensure that your supply chain meets your standards for data protection. And I suggest doing these three things before and audit or even worse, an attack, comes your way:

1. Map out all third-party vendors your company uses. Assess their level of data access in terms of what type of information they have and the level of sensitivity of that information.
2. Assess how each vendor is using that data and how they store it. Check who internally can retrieve that data and how are they sharing it. The intentions aren’t always nefarious, as sometimes data will be access for troubleshooting and improvements, but it’s important that companies are aware of its movement.
3. Audit your vendor to ensure compliance. It may sound like a large undertaking, but it’s something that should be done regularly. It’s important to understand the security and privacy protocols that your vendor has in place. Find out their action plan in case of a breach. Assess whether your data travels beyond the vendor to a fourth party. And establish clear guidance and regulation for this vendor, as a benchmark for further assessment.

It's never too late to start taking privacy and security seriously. It comes down to dedicating time and resources to it, and ensuring consistent and thorough follow-up, both internally and across your supply chain. Think of it as your insurance policy, one that you will be grateful for in the event of an attack.