Supply chain cyberattacks are a clear and present danger to organizations in all industry verticals, but many companies are underestimating the threat. A recent study found that over half of IT leaders feel that using “known, trusted software” is sufficient protection against supply chain attacks — even though these attacks have hit many well-known and trusted companies over the past year, including IT provider SolarWinds and software developer Kaseya. In a recent blog post, Microsoft warned of an alarming increase in “targeted attacks” against “resellers and other technology service providers” of its cloud service.
Understanding Supply Chain Attacks
Supply chain attacks take advantage of today’s highly distributed data environments, where even small or mid-sized companies could have hundreds of third-party applications, systems, and hardware operating within their network, with many of these components requiring privileged access to work properly.
In a supply chain attack, the company that’s initially breached isn’t the ultimate target; its customers and business partners are, which is why supply chain attacks strike managed service providers (MSPs), SaaS developers, and other companies that sell software and IT services. By breaching a single service provider’s network, cybercriminals can gain entry into dozens, even hundreds or thousands of other organizations, including multinational firms and government agencies.
Preventing Supply Chain Attacks
Stopping supply chain attacks requires a coordinated effort by both IT service providers and the companies they serve. Organizations can no longer limit their cybersecurity efforts to their own networks; they must include software supply chain security in their broader cybersecurity strategy and ensure that their vendors are engaging in solid security practices. This applies not only to organizations outside of the tech industry but also to MSPs, SaaS developers, and other IT service providers themselves — who have the same distributed data environments their customers do. Here are some best practices:
- Establish clear and comprehensive security requirements for your vendors, and insist on proof that their security controls are sound. Consider requiring that your vendors hold an SOC 2 Type 2, ISO 27001, or similar security certification.
- Apply all software and firmware updates as soon as possible, as these updates frequently contain important security patches.
- Prevent lateral movement within your network by properly segmenting it, and by controlling user, device, and application access with role-based access control (RBAC) and least-privilege access.
- Implement a Zero-Trust security architecture and comprehensive password security controls, including the use of strong, unique passwords for every account, multi-factor authentication (2FA) on all accounts that support it, and an enterprise password management (EPM) system like Keeper.
- To further protect employee passwords, implement a Dark Web monitoring solution such as Keeper BreachWatch™ for Business. BreachWatch scans Dark Web forums and notifies organizations in real-time if any employee passwords have been compromised, enabling IT administrators to force password resets right away.
Keeper’s zero-knowledge, enterprise-grade password security and encryption platform gives IT administrators complete visibility into employee password practices, enabling them to monitor adoption of password requirements and enforce password security policies organization-wide. Keeper takes only minutes to deploy, requires minimal ongoing management, and scales to meet the needs of any size organization.
As seen on Keeper