26 May 2023
I’ve just returned from a much needed extended break. While I was away, I was thinking about my last blog, Cyber Security as a Business Enhancement and Enablement Strategy and how that could also be extended to those that extend your enterprise – the Supply Chain. After all, isn’t your customer thinking of you as the provider and not looking past you to the Supply Chain?
So I was thinking, what happens if some bad actor gets into your Supply Chain and implants code to be used later? Much like the Manchurian Candidate something we trust is later found out to be compromised. Something like that type of attack made big news when it happened with Solarwinds – remember that a few years ago?
“The attackers managed to modify an Orion platform plug-in called SolarWinds.Orion.Core.BusinessLayer.dll that is distributed as part of Orion platform updates. The trojanized component is digitally signed and contains a backdoor that communicates with third-party servers controlled by the attackers.” – (SolarWinds)
The same thing has happened recently with 3CX We shouldn’t be surprised though. Attacking the supply chain can be much easier than attacking the “defended castle” that so many of the enterprises have become. We need to defend our enterprises. But I suggest that this is the entrance fee to the game, vs the end of the journey. Times have changed and so should our approach to cybersecurity. We should consider that the Supply Chain is just an extension of “us” that’s outside the protected confines of our “defended castle” and deserves much more scrutiny and attention than many CISO’s and CIO’s give it.
My rationale? Companies have one IT Group reporting to a CIO. The average US company has thousands of suppliers, yet we spend very little time, resources, and energy securing the supply chain. Folks I talk to seem inaccurately believe that security taken care of by the supplier.
Unless and until we extend our cybersecurity efforts the supply chain with the same fervor we do the “defended castle”, we’ll continue to have bigger and bigger problems due to supply chain weaknesses. Like this for example. In the next entry, we’ll talk about the impact of NOT paying enough attention to the supply chain cybersecurity