Cybercrime continues to be a major global concern. Cybercriminals are using ever more sophisticated approaches and exploiting every possible means to intercept valuable data or disrupt IT systems. Organizations targeted and impacted by these attacks, including businesses, critical entities, governments and entire economies are being left facing serious financial consequences and operational disarray. According to estimates from Statista’s Market Insights, the global cost of cybercrime is expected to surge in the next four years, rising from $9.22 trillion in 2024 to $13.82 trillion by 2028.
One channel used by hackers that is fast becoming a key concern is the IT supply chain. Cybercriminals are exploiting vulnerabilities at third parties of an organization’s supply chain such as vendors, suppliers and logistics and transportation companies in order to infiltrate the organization’s IT systems or access physical components destined to be implemented in products. Speculation that the recent device attacks in Lebanon were the result of third-party tampering highlights the crucial need to better secure not only software supply chains but also hardware. But how much of a threat does the IT supply chain really pose and what can be done to minimize the risks?
Chief Product Security Officer at Alcatel-Lucent Enterprise.
The weakest link
The SolarWinds cyberattack in 2020 which compromised the systems, data, and networks of thousands of organizations including the US government is the most notorious example of a wide-scale software supply chain attack. But despite the exposure of the case and acknowledgement of the need to address the issue of securing the supply chain, there have been numerous others. These include attacks on Okta, Norton, 3CX, JetBrains, Airbus and Microsoft, all of which have been equally crippling to the enterprises affected. Since 2021, cyberattacks targeting supply chains have surged 431%, according to a report published last year by insurance provider Cowbell. And industry analysts see little signs of the issue abating; Gartner predicts that the costs from these attacks will rise from $46 billion in 2023 to $138 billion by 2031.
For organizations and enterprises, the threat of exposure to attack through the supply chain is a major cause for concern. Unlike the full visibility and control they have over their own systems, to date organizations have had little reassurance that their suppliers and partners have implemented the same high standards of security. Indeed, a recent white paper published by Reuters and Cargowise, highlighted how 94% of supply chain executives were concerned about vulnerabilities in their technology stack, with 24% very or extremely concerned.
Regulators seek to bring standardized security to the supply chain
Such is the concern around the threat posed by the IT supply chain that authorities are starting to bring in regulation to curb the number of incidents. In October this year the new EU Network and Information Security version 2 (NIS2) Directive came into force. This new legislation was brought in to establish a uniform and improved level of cybersecurity across European Union countries. Critically, along with organizations operating in sectors such as public administrations, transport, energy, health and banking, companies supplying goods or part of IT supply chains must also adhere to NIS2.
NIS2 will surely help to raise greater awareness of the need to secure network infrastructure and ensure security measures are adhered to throughout the IT supply chain. However, beyond compliance with the new ruling, organizations and technology providers ultimately need to take responsibility for ensuring their prized data – and that of their customers – has the highest level of protection against theft or system attack. But how do they go about this?
Mitigating the risk of attack via the supply chain
Each enterprise or organization has its own unique supply chain composed of relevant third parties required to bring its specific solutions or services to market. As such there is no ‘one way’ of securing the supply chain, however there are measures that all enterprises should undertake to ensure their supply chains – both for software and physical components or products – are as watertight as possible, these include:
Screening suppliers: before selecting suppliers, comprehensive vetting should be undertaken to verify security practices and ensure trustworthiness Periodic audits: Carrying out regular audits and checks on supply chain partners will ensure they are maintaining the expected security measures SLAs: Implementing contractual security requirements with logistics providers to ensure they have appropriate security measures in place such as tamper-proof seals on trucks Monitoring status of goods in transit: Technologies such as RFID and AI can help to track the location and status of goods throughout the logistics flow.
The use of Gen AI to better monitor location of hardware during transit
The integration of Gen AI into logistics operations is proving not only to make IT hardware supply chains more effective, but also more significantly more secure. Thanks to its ability to extract data, process and structure unstructured data, like emails, it provides an unprecedented level of visibility into the flow of goods, tracking both their location and ownership at every stage.
The integration of Gen AI means that logistics teams are always aware of where shipments are, who is responsible for them, and can quickly respond to potential security threats even before an incident occurs. This level of insight and control is invaluable for organizations seeking peace of mind that all elements in their supply chain are well protected at every stage of production and transfer and that they do not pose any risk of being intercepted or tampered with.
As cybercrime continues to evolve in sophistication and scope, the threat posed by vulnerabilities within the IT supply chain cannot be overlooked. Organizations must confront the reality that their security will only ever be as strong as the weakest link in their supply chain. New regulations such as NIS2 will be critical to ensuring an adequate and standardized approach to security across the supply chain. However, for their own peace of mind and to ensure the integrity of their products and safeguard their valuable data, organizations should look to diligently select supply chain partners, create a culture of transparency and use advanced technologies to ensure accurate tracking and monitoring of sourced components and products. In light of the unrelenting levels of cybercrime today, investing in supply chain security and resilience in order to protect themselves from attack is a relatively small price to pay.
We’ve featured the best business VPN.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro