“Supply chain attacks”: What they are and why they matter

So called “supply chain attacks” have risen in popularity among hackers, and need to become front of mind for businesses. A supply chain attack is where a hacker uses a trustworthy supplier’s piece of software or hardware to sneak in malicious code. Through a single supplier, the hacker then can compromise every business downstream, from distributors to their customers and beyond. Security experts hypothesize that these attacks are on the rise due to heightened cybersecurity vigilance at larger companies, leaving smaller suppliers as an easier entry point. Many of the most famous data breaches in recent years have been traced back to a compromised supplier.

How can companies reduce the risk of becoming a downstream victim of a supply chain attack? Because the attack relies on the “trusted” nature of the supplier, additional organizational safeguards are the answer. Companies and government agencies need to more comprehensively vet potential suppliers, set higher standards in the negotiation process with potential suppliers, and implement additional monitoring protocols for current suppliers.

This month, the Biden administration issued a Cybersecurity Executive Order that set new minimum security standards for companies that provide software to federal agencies. The same standards and vetting process is just as crucial for private companies to prevent a breach through a compromised supply chain, and to protect all parties in their own ecosystem. Businesses must now not only thoroughly vet their software suppliers, but also all the parties in their supplier’s ecosystem in order to protect themselves and their customers.