Am I part of the problem?

Everyone is at risk from a supply chain attack, but are we all aware of our responsibilities? 

Reading time: 10 min
Craig Houston

The supply chain is changing, of that there can be no doubt. Just a few short years ago, it was a linear, mostly one-dimensional structure that was relatively easy to police and manage.

However, this is absolutely no longer the case, with many different actors now involved – ranging from start-ups and solo entrepreneurs to multinational corporations.

Take Amazon as an example. The retail behemoth deals with thousands and thousands of different vendors of different sizes. Each one of those endpoints represents a potential avenue into Amazon’s network and a way of exposing a company that posted an operating profit of USD 7.7 billion in the second quarter of 2021.

The Butterfly Effect

This is obviously an issue, as an enterprise runs the risk of being taken down by a one-person operation running out of the spare bedroom. And this is where the problem lies: while large companies have the understanding and resources to keep themselves safe, smaller businesses either do not consider themselves worthy of an attack or feel they cannot afford to equip themselves with the correct level of security.

Harri Ruusinen, Director, Global Sales Engineering at WithSecure, believes there is a pattern there. “For larger companies, it is now just a way of life. They understand that certifications and background checks need to be done. However, smaller companies are being caught out when they are asked by customers to adhere to protocols. It may well be the case that attackers don’t want your data, but you may well have certain customers that those attackers could utilize.”

Tuomas Miettinen, WithSecure’s Technical Sales Enablement Manager, believes a breach can do untold damage to smaller businesses. “Often, smaller companies don’t understand that this is still the kind of risk management that they need to do. If they are related or the root cause of a breach, it can have severe implications because it is all about trust. Once that trust is lost, it is very difficult to get back.”

Starting point

Getting smaller companies to understand that they could bring down an entire supply chain and permanently alienate customers brings with it a lot of fear. Small firms, particularly with everything going on just now in the world, are looking to make savings wherever possible and the thought of having to spend on security is daunting.

“Of course, putting controls in place and gaining visibility can take a whole team. But, what smaller companies can do is to make sure that the building blocks are in place and that they are using secure solutions. They need to make sure they protect all the data they are processing and this is where they can seek out the help of partners, who will be happy to provide exceptional service and visibility in case of attacks and risks,” says Miettinen.

“I think the first part really is understanding your risk management. Can you really afford to have a cyber incident happen to you that could lead to a supply chain attack? After that, installing Endpoint Protection (EPP) and Endpoint Detection and Response (EDR) is crucial, making sure that you have the capabilities to prevent, detect and respond to incidents, as well as knowing who you can contact if you suspect a breach. Basically, you need to find a cybersecurity partner, who can help you whenever required. After all, it makes sense to align yourself with an expert with decades of frontline experience,” according to Ruusinen.

Find out more about your role in the supply chain here: Supply chain security is everyone’s responsibility | WithSecure™

What next?

As we are all aware, the attackers are getting more sophisticated. That means we have to be one step ahead at all times. So, what should we be looking out for in the near future when it comes to supply chain protection? 

Collaboration is key. The sharing of knowledge and allowing the experts to do what they do best will allow us all to work safer. But with increased collaboration comes more endpoints and therefore more risk of attack. As we move towards the cloud, we need to ensure that everyone is aware of their responsibility within the structure. 

“We need to take care of our cloud collaboration as we move forward. It could be that you are building a community in the cloud that multiple partners are using. Therefore, it is your service but external organizations are sharing files within it. This means you need to keep both yourself safe, but also avoid others bringing in risks,” says Miettinen.

“Leading on from that”, warns Ruusinen, “it is every company’s responsibility to take care of their identity – such as username, password and multi-factor authentication. Make it as complex as possible for the attackers to steal an identity, because they can be really easily used in supply chain attacks,” warns Ruusinen. 

To finish, what piece of advice would our experts offer for here and now?

Miettinen is quick to reply: “While we have machine learning and AI, we need to remember that humans are still required to make the final decisions. So, believe it or not, we are still superior! Machines help to eliminate a lot of the noise and create visibility, but humans must review and take that final step.”

“To put it bluntly: buy good cloud services, because there are a lot of people making sure the platform is secure and remember that responsibility belongs to your organization,” Ruusinen concludes. 

Photo credit – Miltiadis Fragkidis