The SolarWinds hack of 2020 woke the world up to the danger of supply chain hacks.
Hackers targeted SolarWinds, a Texas-based provider of network monitoring platforms, by injecting malicious code into one of their premier products, the Orion IT monitoring and management software.
This program is used by literally thousands of enterprises and government agencies worldwide.
What SolarWinds reminded everyone of is that a hack isn’t always an attack on just one company.
It can be an attack on an entire global system.
Nearly two years after the SolarWinds incident, government agencies and independent researchers are all pointing to a clear trend:
Supply chain hacks are exploding.
Fertile ground
The direction the IT world has been moving in over recent years is what lies at the root of this problem.
As Levi Strauss’s CISO Steve Zalewski put it, “We don’t keep it in house anymore.”
The sophistication and fast pace of IT development have forced companies to rely on more and more third-party vendors to innovate and deploy new products and services.
With time, this has created an incredibly convoluted web of supply chains where an endless number of open-source codes and core programs are all enmeshed in software creation cycles.
Now put yourself in the shoes of an infosec executive for a minute:
Considering the impenetrably complex nature of this supply chain quagmire, would you be excited to invest your time and energy into sorting it out before taking on a platform or application for your company?
I thought not.
It’s no surprise that few companies have any real visibility across their digital supply chain. Research conducted by US security leader Imperva found that most firms are oblivious to the safety issues of 95% of the software they use. Even the security professionals themselves admit they are flying blind, with most saying they don’t have a solid understanding of the risks vendors pose to their networks.
In short, the current state of IT development has created a huge security liability that is so complicated that individual companies avoid dealing with it.
And that means open season for hackers.
More “traditional” attacks would focus on specific security vulnerabilities in order to penetrate specific targets. Now cybercriminals can simply insert themselves at some point in the murky digital supply chain. Take the recent npm time attack reported earlier this month. The hack reveals the names of private packages so hackers can release malicious clones publicly to trick developers into using them instead. This “poisoning the well” is a sure win for cybercriminals who know most networks are not on guard for these types of supply chain methods.
Time for a reframe
The digital supply chain problem is not going away.
On the contrary, as our technology becomes more sophisticated, the development of applications and tools will rely even more on an ever-growing web of software and code.
The solutions to the supply chain problem until this point have been, to put it bluntly, a huge disappointment. Traditional security management approaches, which rely primarily on service agreements to ensure a product’s safety, have all fallen short. Not only do they fail to give buyers substantive insight into the programs they’re purchasing, they also end up sucking up time and resources from already strained IT departments. Research by Ernst & Young showed that a typical risk assessment questionnaire has nearly 200 questions, and more than 30% of organizations have over 1,000 suppliers to assess.
All of this points to a hard fact. The increase in third-party risk burdens on companies is simply not sustainable. The time has come for a paradigm shift.
By shifting the security responsibility onto vendors, the technology we have today can offer real and concrete insight into vendor liability.
Not only will this increase actual security for companies, but it also comes with the invaluable benefit of cutting out nearly all of the menial work attached to security documentation.
Learn how Vendict is empowering firms to take control of their supply chain security, achieve compliance, and cut out nearly all the menial work.
