Software Supply Chains bring Unwanted Risk to your Business
Corporate Boards of Directors (BoD) can no longer ignore the elephant in the room. According to a recent threat intelligence report, “2021 has become known as the year of the software supply chain attack.” With more processes now running digitally, attackers can go far beyond stealing information to disrupt many operational functions. Potential liabilities from supply chain attacks could reach $50 billion by 2023, while up to 75% of CEOs could be held liable.
Meanwhile, the attack surface of the software supply chain keeps expanding, fueled by work from home initiatives, digital transformation projects, the growing adoption of business intelligence systems and specialized applications for line of business and departmental use cases. Together, these all add up to thousands of applications being deployed across the average company, many with privileged access to protected resources and data. No wonder hackers prefer to target underlying software for vulnerabilities as a back door into an organization, rather than trying to hack directly into systems and data repositories which are much better defended.
Cybersecurity is business resiliency
When it comes to managing software supply chain risk, an organization’s BoD should look to recent physical supply chain incidents for lessons that can be applied to its digital twin. Three main areas can show corporate directors the path forward.
- Insuring third party resilience: Validating the resilience plans of a vendor supplying software or cloud services can be similar to vetting procurement of computer chips or raw materials. The organization needs to establish which supplies are systemically critical, and then validate and test them before committing to a supplier.
In the digital world, resilience planning needs to establish the same factors and develop plans to account for the risk software introduces to your enterprise across many functions. This includes establishing what information is accessible to which software programs, and the sensitivity of that data, along with the security level established by the vendor.
Third parties, especially smaller software vendors with fewer security resources, can be a weak link in the security mesh protecting your business. Does your organization test the security of software before and after deployment to check for vulnerabilities (like those found in the SolarWinds case) or just assume the vendor’s security posture matches yours?
Software should be treated as a raw material like those used in a manufacturing process. This requires a plan to detect and address software vulnerabilities in procured software, whether it is rejecting the software or mitigating the flaw in coordination with the vendor.
- Diversify vendor portfolio: War and natural disasters that shut down ports and manufacturing hubs have taught businesses the risk of single-source procurement. All it takes is one shock to bring down the physical supply chain. Enterprises have learned to reduce that concentration of risk by spreading the supply chain across locations and diversifying their vendors, when possible.
The digital supply chain suffers from a similar concentration of risk, often unseen. Especially since most software developers rely on popular open source code libraries they can cut-and-paste into their programs to run basic functions, rather than build those capabilities from scratch.
These open source libraries are convenient, but they can also contain security vulnerabilities or intentionally malicious code as the world saw with the recent Log4j vulnerability which was found tucked away in everything from games like Minecraft to cloud infrastructure operated by Amazon and Apple. Open source libraries can be found in multiple applications deployed in the average company. If compromised, these can impact a business in multiple ways and places.
Corporate BoDs need to ask some basic security questions:
- Just how well do we know the software being installed?
- Are we relying on one vendor or should software applications be diversified?
- What is the risk to the organization when a critical vulnerability is disclosed in an important software application?
- Test the ecosystem. This is where resilience planning and vendor diversification come together. In the brick-and-mortar world, the procurement function has backups to find supplies if the preferred vendor is suddenly unavailable. The switch may cause a temporary disruption, but not one as severe if alternatives are not available.
The digital supply chain needs the same flexibility. Staff responsible for digital infrastructure needs to survey alternative software vendors and establish a benchmark that is pre-vetted, so they can pivot to a new supplier if a breach is in progress or a major vulnerability is detected. Having this flexibility will enable the organization to only incur minimal downtime and disruption so customers are not impacted.
Just as the BoD reviews operational security and disaster recovery plans to make sure the business can operate through wars and natural disasters, it needs to be aware of backup plans to keep digital processes running during potential cyber disruption. The board needs to know how to handle the announcement of a major software vulnerability discovery and where to access that plan in an emergency.
Gartner has predicted that by 2025, cyber attackers will have the capacity to harm or even kill people by breaching the digital systems running many enterprises today. Now is the time for boards to take charge and apply what they have learned from keeping the lights on in the brick-and-mortar world to protect their digital supply chain from taking down the business.
Shelley Leibowitz is former CIO of the World Bank and a public company Director.
Jim Routh is former CISO of MassMutual, CVS Health, Aetna, JP Morgan Chase and a Board Director at GrammaTech.