Why the ‘zero-trust’ approach is key in stopping supply chain software attacks
If you were a hacker, how would you set about wreaking the most havoc possible? Keiron Holyome, VP UKI and Emerging Markets at BlackBerry further explores.
Mass phishing? Targeting critical infrastructure? Perhaps. Or maybe you’d choose attacking a supply chain: if thousands of companies have bought software from a single vendor, then a hit on that vendor attacks all its customers simultaneously.
This is, of course, the story of the recent cyber-attack aimed at health software company Ortivus.
Attackers targeted Ortivus’ hosted data centre and left two NHS ambulance trusts without access to electronic patient records.
Its success may be down to trust: too many leaders trust their vendors have security covered, so don’t protect against potential attack. Indeed, the UK government’s Cyber Security Breaches Survey 2022 found that just over one in ten UK businesses review the risks posed by their immediate suppliers (13%), and the proportion for the wider supply chain is just 7%.
t would make sense if organisations weren’t being attacked. But new research has found that hackers view the healthcare sector as a lucrative target, with 109,922 separate attacks on the healthcare sector prevented from March to May.
It proves we can’t afford to be so relaxed, especially when cyber-attacks saw a 13% increase over the same period. Security must go far beyond vendor trust. Here’s how:
Software supply chain attacks are devastating – here’s why
Software supply chain attacks are among the most destructive strategies used by cybercriminals today.
Six in ten (59%) of companies that have suffered a supply chain attack reported significant operational disruption, according to research by BlackBerry. 58% reported data loss, and 52% reputational impact. Nine out of ten organisations (90%) took up to a month to recover. Time is money – so being hit by a software supply chain attack is a highly costly experience however you look at it.
Why do these attacks cause so much destruction? It’s because much of the software created and sold today is based on open-source code, which can easily be compromised due to its public availability. Vendors should, of course, check it – and research shows that IT teams believe they do: many are confident that their supply chain partners have policies in place of at least comparable strength to their own.
But amid a chronic cybersecurity skills gap in the UK and abroad, can a buyer guarantee this due diligence has been done? Perhaps not. It’s no wonder software supply chain attacks are so successful.
Securing a software supply chain against attacks takes knowing what elements in your system have the potential to be attacked. More than three-quarters (77%) of those BlackBerry surveyed said say that, in the last 12 months, they discovered previously unknown participants within their software supply chain – entities they had not been monitoring for adherence to critical security standards.
The game plan for attack prevention
Awareness is the start, but action is the key to stopping software supply chain attacks, and preventing the knock-on reputational, cost, and time damages your staff and customers will feel.
Businesses need a complete, granular view of all potential network and endpoint vulnerabilities in order to predict, prevent, discover, and respond to attacks – An Extended Detection and Response (XDR) tool is a wise option to enable this. By collecting and analysing data from multiple sources, XDR gives the visibility and proactive action to prevent attacks that organisations need – 24/7, 365 days a year. However, data shows that more than three-in-four IT and cyber decision-makers currently report a lack of holistic visibility into their security posture. Change needs to take place: in the current, heightened threat landscape, a prevention-first approach to all attacks, regardless of their origin, is vital.
In an industry struggling with a cyber skills shortage, the message to double down defences may sound like an impossible task. But, in the event of a cyberattack, technology like XDR – and particularly when it comes as a managed service – can significantly speed up response and remediation, meaning security teams can focus on critical roles such as activating Critical Event Management systems.
Indeed, BlackBerry found that 63% of IT leaders would like a consolidated event management system for contacting internal security stakeholders and external partners – a critical element in reducing the impact of a potentially devastating supply chain attack.
Don’t be afraid to lean on others for support
The threat of cyberattacks through the software supply chain remains imminent. As such, businesses and public sector organisations must be planning their prevention and response strategies now.
It’s true that any large organisation should put their trust in themselves to keep their software safe from hacks – but there’s also no need to become overburdened. Solutions based on the AI technology, backed by professional support on call 24x7 can re-establish confidence in a secure software supply chain.
After all, who would you rather be? One of thousands of organisations all hacked at once, or the company that stands its ground with a prevention-first approach in the face of highly sophisticated attacks?