5 Supply Chain Security Trends
Cybersecurity risks in the supply chain are ever-increasing. The threat landscape of malware, ransomware, phishing attacks, and viruses is ever-expanding, making supply chain security management a game where the rules always seem to keep changing.
These are the latest trends in supply chain security:
1. Pivoting to DevSecOps
In the face of new supply chain security threats, DevSecOps is starting to take center stage.
DevSecOps stands for development, security, and operations. It’s an approach to culture, automation, and platform design that puts the spotlight on security by integrating it throughout the entire IT lifecycle.
Historically, organizations have viewed security as the last stop in the development cycle. But with supply chain security threats on the rise, teams are now realizing that security requires an all-hands-on-deck approach and can no longer remain the security team’s responsibility alone. Instead, security must become a shared responsibility among teams and an essential part of business operations, whereby it is integrated into the development process from beginning to end.
A survey from Anchore among 400 enterprises reports that 42% of senior security and IT teams have already implemented a DevSecOps center of excellence to begin pivoting to the new security approach; 37% plan to start soon.
Most importantly, pivoting to DevSecOps means finding new ways to collaborate across teams. All teams — from security to DevOps to development — should have a feeling of shared ownership when it comes to security and compliance. And it’s up to team leaders to instill this new culture of collaboration and security ubiquity.
2. Understanding New Federal Mandates
With cybersecurity risks in the supply chain rapidly growing, the federal government is taking notice.
In May 2021, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity with the intent to help both public and private organizations identify, deter, protect against, detect, and respond to malicious cyber campaigns.
For federal agencies and federal contractors, this means modernizing their technology environments and security practices, i.e., adopting a software supply chain security framework is now federally mandated.
For private enterprises, on the other hand, Biden’s executive order puts the focus on software supply chain security and enhancing software transparency. For example, the order outlines new actions for secure software development environments, including providing purchasers with a Software Bill of Materials (SBOM) for each product or publishing it on a public website. By better understanding software elements, organizations can then better position themselves to prevent and remediate attacks, lessening greater cybersecurity risks in the supply chain overall.
With these new demands for software transparency, the federal government aims to guide private organizations to develop more robust supply chain security management.
3. Prioritizing Third-Party Risk Management
Perhaps the greatest threat to supply chain security today is the growing risks of third-party attacks.
One famous example is the SolarWinds supply chain attack. When hackers breached software company SolarWinds, they were able to gain access to one of its products, Orion, an IT performance monitoring system. Because SolarWinds Orion manages IT environments, it has privileged access to hundreds of other companies’ IT systems. Once hackers breached Orion, they were able to send malicious updates to thousands of SolarWinds customers, ultimately infiltrating U.S. government agencies, Microsoft, and more than 30,000 other public and private organizations.
While the SolarWinds hack is one of the largest (if not the largest) recorded supply chain attacks of its kind, it is certainly not the only instance of hackers using a third party to wreak havoc. And as organizations’ connections and, thus, their interdependencies on third-party vendors, suppliers, and other partners continue to increase, third-party risk management must become the central focus in supply chain security management. This means developing strategies to identify, monitor, assess, and improve the critical risks that come with working with an increasingly global supply chain.
Every new third party an organization collaborates with opens the door to new cybersecurity vulnerabilities. Organizations must elevate third-party risk management to a top security priority to build defenses against these new cybersecurity risks in the supply chain.
4. Performing Ongoing Self Assessments
Outside managing the risks of working with third parties, organizations also need to keep a watchful eye on themselves.
For diligent supply chain security management, self-assessments should not just be an annual task to check off the to-do list but an ongoing procedure in which all team members play a key role. These ongoing self-assessments are vital for staying up to date with any and all risks that can threaten the supply chain.
Certainly, risk assessments are an important part of any cybersecurity posture. But they are not a one-and-done procedure. The threat landscape can change dramatically just a few months after a risk assessment. This can leave your assessment irrelevant at best and woefully negligent at worst.
To maintain an accurate picture of the risks in your supply chain, teams need new automation tools to monitor their current cybersecurity posture continuously. For example, Baldridge Cybersecurity Excellence Builder is one self-assessment tool that helps organizations better understand their cybersecurity programs’ effectiveness while identifying opportunities for improvement. ISACA (The Information Systems Audit and Control Association) has also developed an audit program based on the NIST framework to help organizations assess the effectiveness of their cybersecurity to identify, protect, detect, respond, and recover processes and activities.
5. Managing the Risks of Remote Work
After the throes of COVID-19, many executives are eager to have their employees back in the office — but as much as 80% of people expect to continue working from home at least a few days a week. While the pros and cons of working from home may be a great subject of debate, one thing that’s certain is the rampant cybersecurity risks of displaced remote work.
With employees scattered around the globe, hackers now have more endpoints to exploit than ever before. Sure, you can introduce strict security protocols for your own organization, but employees working remotely for your third-party partners are well out of your immediate jurisdiction — and this is where cybersecurity threats to the supply chain abound.
For example, at home, employees may use their personal devices for work. Or, they may use their work devices to surf the web and download untrusted apps. Even if employees properly use their work devices, they’re often connected to home or (even worse) public WiFi networks, which makes them vulnerable prey for bad actors.
Typical Band-Aid solutions like VPNs aren’t enough to constitute a cybersecurity defense, as it requires blind faith that employees who are outside of your organization will follow best practices.
Again, managing the risks of remote work comes back to prioritizing third-party risk management. Communicating with all of your third-party partners and establishing strong security protocols together is the best way to protect vulnerable endpoints — for everyone involved.
Supply chain security management is a never-ending task as threats must be continuously evaluated and defenses perpetually maintained. But perhaps the most important trend in supply chain security is communication and ensuring all hands are on deck when it comes to prioritizing security.