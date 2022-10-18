Mini
With a global economy mired in rising nationalistic fervour, geopolitical instability, post-COVID disturbances, and financial turmoil, companies have been forced to rework their physical supply chains in response to these global uncertainties. However, there is a blind spot regarding potential vulnerabilities in the technologies companies have developed and implemented.
For the past few decades, globalisation has been the norm, with integrated supply chains across continents facilitating the delivery of products and services. Governments and enterprises have spent years finetuning the kinks to ensure that supply chains are cost- and time-optimal. The driving philosophy in some was “A chain is no stronger than its weakest link”, the quote which first appeared in an essay by Scottish philosopher Thomas Reid in 1786.
The genesis
Digital initiatives are integral to how governments, enterprises, and citizens operate today. Every industry legacy or new age seems to have a “tech” add-on next to it, e.g., edtech, govtech, agritech, fintech, etc. These technology transformations combine hardware, software, appliances, and services provided by players big and small from around the world. To add to the complexity, they are procured and managed independently by various parts of the organisation, resulting in a heterogeneous and often unaccounted footprint.
The challenge
According to a report by IBM in 2021, one in every five successful attacks was linked to a supply chain vulnerability, and it takes 26 days more than the average to identify and contain such attacks. Take a look at the following well-publicized cases;
So you get the drift — be it application software, platforms, hardware, chipsets, or service providers, attackers are targeting them to create a much broader impact and potentially reach hundreds, if not thousands, of companies.
What can be done?
“What you don’t know can’t hurt you” may have been the oft-quoted remedy to not worrying about unknown problems. However, the unknown technology footprint can create significant headaches for the organisation. One needs to live by the new maxim: “What you don’t know can hurt you.”
At an organisational level, it is crucial to understand not only your third parties but also the technologies they have deployed and the underlying platforms, and hardware they use. A classic case of this was the Apache Log4J vulnerability, as most companies were unaware of their provider systems and whether they were using Log4J as part of their product. Some of the best practices that one could look at for managing supply chain risks are:
While the above points pertain primarily to how one interacts with third-party providers, there are a few things that one can look at doing from a hygiene perspective.
In summary
In this technology-enabled connected world, the most significant risk and the weakest link stems from that one small piece of hardware or software in a remote corner with a chance of bringing the company to a standstill. It is high time that organizations and security professionals focus on this blind spot and find a way to stay abreast of risks and mitigate them.
— The author, Pankit Desai, is CEO & Co-Founder of cybersecurity startup Sequretek.
