Is Your Software Supply Chain Your Biggest Cyber Risk?
According to European Union Agency for Cybersecurity’s (ENISA’s), by 2030 the most prominent cyber security attack will be across software supply chains. As organisations move to a more cloud-based approach, the risk of supply chain attacks increases. ‘Trusted’ rather than ‘tested’ usage of cloud applications and third-party platforms is also escalating which is an increasing issue as they become more integrated with internal systems, leading to possible unknown vulnerabilities for organisations.
Recently, there have been multiple alleged cyber security breaches against notable third-party software organisations including the latest today which involves TicketMaster. A report from Hackread claims a group known as ShinyHunters compromised customer data from TicketMaster published 1.3TB of data on a BreachForums site. This breach allegedly involves sensitive PII data such as names, addresses, emails, phone numbers, ticket sales, event details and partial payment card data.
This year we’ve also seen the Mother of All Breaches (MOAB) which included multiple data leaks from multiple sites such as Adobe, LinkedIn, Twitter/X, Canva, JD.com and multiple others. This breach contained over 26 billion records.
In 2023, Discord exposed the personal data of more than 760,000 users. The breach was discovered on August 14, after a database containing the personal information of Discord.io users was put up for sale on the dark web. This breach allegedly released data such as usernames, emails, billing addresses and hashed passwords of people who signed up before 2018.
Also in 2023, MoveIT experienced a supply chain attack which affected 620 organisations including BBC, Zellis, British Airways, Boots and Aer Lingus. This breach included Pii data including staff addresses, dates of birth and national insurance numbers.
As demonstrated by the above examples, it shows that supply chain attacks are becoming more common and can affect any organisation regardless of size or security posture.
How can you limit the impact of a supply chain attack?
Knowing where your data is stored is key
Understanding where your data sits, the technical controls surrounding it and the risk of that data being exposed is crucial in creating a proactive approach to supply chain due diligence. This approach underpins multiple accreditations such as ISO27001 and IASME Cyber Assured and is the key to creating a strong cyber security posture. Without knowing where your data is stored, who has access to it and the technical controls in place then you are helpless in understanding what a supply chain cyber security attack could have against you as an organisation.
Conduct due diligence across suppliers
Just because they’re a big player in the market and have a fancy tagline doesn’t mean they have the security controls you need to feel confident they are going to keep your data secure. The majority of organisations now publish their cyber security accreditations, talk about their approach to data security and highlight any actions they are undertaking. If they claim to have annual penetration tests, ask to see a copy of their recent report. If they claim to be compliant against particular industry standards, ask to see copy of reports. Taking a third party suppliers word that they take cyber security seriously is a dangerous approach.
Implement Strong Authentication Methods
Creating strong and complex password methods across all accounts and ensure that passwords are not reused across multiple applications. If passwords are reused, either personally or through the business, then once a supply chain breach occurs it is highly possible that the attacker can target other suppliers to see if they can gain further unauthorised access. Where it’s available, implement MFA or SSO as a matter of necessity. Whilst it’s not a silver bullet and can still be bypassed with sophisticated attacks, it’s an added level of defence that can be taken. This requirement should also be part of that initial due diligence across suppliers, ensuring that the level of security you require is available within their technical stack.
Ensure that Access Control is limited
As with internal fileshares, implement role-based access control (RBAC) and least privilege across all third-party software and systems.
Educate Staff about the Dangers
As well as educating staff on general security processes such as password management and phishing, it is important to educate them on the dangers of supply chain and ensuring that their digital footprint is as limited as possible. The more places where data sits, with limited technical controls, the more chance you have of data being exposed.
Sign up to Data Breach notifications
With suppliers, sometimes they will acknowledge that they have experienced a data breach to all of their users, however sometimes they might not disclose that information until it’s too late. Signing up to data breach notifications could help you to identify a data breach before it affects your systems or users.
Cyber Audit
Conducting a full cyber audit will help organisations to understand governance processes, where your data is stored and the risks associated with it. This should involve a data mapping exercise across their supply chain to help form the basis of an organisations information asset registers.
Adopting a Governance Framework
Implementing a Governance Framework such as IASME Cyber Assurance, ISO 27001 or international frameworks such as NIST or SOC2 will help organisations to understand their supply chain in more detail and implement the correct level of controls.
For advice and support reviewing your supply chain contact the expert team at PureCyber