Examples

One example of a cybersecurity supply chain attack is the 2017 NotPetya attack, which affected companies worldwide. The attack was carried out by infecting a popular software tool used by many companies with malware.

Another example is the SolarWinds attack, which was discovered in December 2020. In this attack, hackers injected malware into ‘SolarWinds’ software development process, allowing them to gain access to sensitive data from several high-profile targets.

3rd party vendor in the supply chain

Third-party vendors can play a critical role in the supply chain and introduce additional risks. Organizations should evaluate the security posture of their suppliers, including their security policies and procedures and their track record in delivering secure products and services.

What to look for

Organizations acquiring software should consider its use, as with other ICT. Reviewing the source code can also help identify any potential vulnerabilities. Additionally, organizations should evaluate the security posture of their suppliers, including their security policies and procedures and their track record in delivering secure products and services.

How to mitigate

Organizations should establish a comprehensive supply chain risk management program 1 to mitigate cybersecurity supply chain risks. This should include processes for identifying and assessing risks and procedures for managing and mitigating those risks. Other necessary steps include implementing security controls, such as encryption and access controls, and monitoring the supply chain for any signs of compromise or vulnerability. Establishing clear
communication channels with suppliers and working collaboratively to address any security issues is also essential.