Supply chain security to pose major threat in 2022

Many industry observers believe that supply chain security will be a major theme in 2022 but why is this the case and what can be done to help reduce the risk?

It’s that time of year when experts come up with their predictions on what the significant trends and business challenges are likely to be in the coming year. And it’s no real surprise that supply chain security features prominently in such lists, particularly given the way in which the pandemic has exposed our reliance on interconnectivity in modern supply chains and how a chain reaction triggered by one attack on a single supplier can compromise a network of providers.

These concerns are certainly reinforced when we look at the results of recent research, for example:

• A report from Aqua Security claims that supply chain attacks grew by 300% from 2020 to 2021
• Anchore released its second annual report of executive insights into managing enterprise software supply chain security practices, showing that 62% of all organisations were impacted by software supply chain attacks in 2021. Of these, technology companies were the most affected, with over 70% reporting attacks

The reality is that data breaches, ransomware attacks and malicious activities from insiders or attackers can occur at any tier of the supply chain. And if cyber attackers can find a way to infiltrate the security of just one partner in the ecosystem, they can also gain easy access to several organisations’ information.

A prime example of this was the SolarWinds data breach, where a weakness in the company’s systems resulted in a compromised software update rolling out to tens of thousands of clients.

Given the numerous high-profile supply chain cyberattacks seen in 2021, it’s clear that supply chains are firmly in the crosshairs of hackers. The upshot is that, according to KPMG’s 2021 UK CEO Outlook Survey, 81% of leaders say that protecting their partner ecosystem and supply chain is just as important as building their own organisation’s cyber defences.

However, this is not always as straightforward as it might appear. For example, the vetting processes used for suppliers are inconsistently applied and sometimes absent altogether. In the absence of any consistent mechanisms for demonstrating ‘cyber readiness’, assumptions are often made.

As a start point, organisations across a whole supply chain network need to agree to work closely together and implement stringent policies and deploy appropriate cyber security tools in order to protect both themselves and their partners from attacks.

The question is how best to achieve this. The reality is that there is no one panacea for supply chain security, instead organisations should seek to protect their supply chains with a combination of layered defences. Here are just a few of the approaches that can be adopted to manage and mitigate supply chain security risk.

Zero trust: Attackers typically exploit trust, be it human trust between supply chain partners or the trust we have between our applications. The aim should be to evolve from implicit trust to zero trust.

Identify the components of the supply chain: Understand the breadth and nature of your supply chain. In addition to primary, secondary and possibly tertiary providers, there will also be upstream and downstream providers. To this end, it is vital to establish every single organisation with which you do business. In addition, you should prioritise these organisations in terms of their importance to your business and establish how you want to work with them. After all, if you don’t know the scale and nature of your supply chain, how can you begin planning how to protect it?

Effective monitoring: It is important to be able to detect when something goes wrong in the supply chain network. This could be achieved, for example, through the use of continuous controls monitoring; carrying out regular checkpoints over time – this could be daily, weekly or monthly dependent upon what is being monitored – will show changes when they occur and compare data and trends over time.

Establish a risk management framework: Organisations should implement a strong risk management framework that looks both inward and outward. As part of this, you should evaluate key suppliers on their security risk in order to protect your organisation effectively. Understand that the risk of your key supply chain partners is also your security risk and act accordingly.

Consider the potential role of AI and machine learning: Look at the ways in which emerging cybersecurity technologies can be used to ease the pressure on your supply chain security activities. For example, AI can be used to proactively detect suspicious behaviour by identifying anomalies, patterns and trends that suggest unauthorised access. Alternatively, if your monitoring activities result in excessive data that can’t he handled by manual processes, consider the role of machine learning in interrogating the information captured and turning it into intelligence that you can act upon.

In 2021, the resilience of supply chains was tested to breaking point. Undoubtedly, cyber criminals will continue to look for ways to capitalise on our ever-growing reliance on supply chains, taking advantage of the many loopholes and weaknesses that exist. So, when planning your strategy for their security, it’s vital to bear in mind that a supply chain is only as strong as its most vulnerable entity.