How to Safeguard Your Cybersecurity Supply Chain

From the rise of generative AI to increased attack surfaces, we all understand the importance of maintaining a solid cybersecurity capability and staying up to date with the latest attack vectors and threats. The challenge is preserving a secure posture across a cyber supply chain that includes multiple third-party suppliers. 

A cyber supply chain incorporates a series of complex interactions throughout the lifecycle of all products and services used by an organization. Each interaction with a supplier, manufacturer, distributor, or retailer introduces inherent risks. This means your suppliers can impact the security of your organization’s systems and their own products or services. When products or services access critical systems, operate with privileged access, or control significant portions of the cyber supply chain, they may present vulnerabilities that malicious actors could exploit, potentially leading to widespread and damaging consequences. Faced with this operating landscape, the big question is simply: “Whom do I trust?” 

The Australian Cyber Security Centre (ACSC) recommends that all organizations should consider cyber supply chain risk management. Let’s take a look at the types of attacks that could occur through a third-party software provider: 

  • Supply chain attacks: compromising the third-party provider and using it to distribute malicious code or software updates to target organizations. 
  • Software vulnerabilities: exploiting unpatched vulnerabilities in third-party software to gain unauthorized access or control. 
  • Backdoors: introducing hidden backdoors in the software that can be used later for unauthorized access. 
  • Data breaches: accessing sensitive data through vulnerabilities or misconfigurations in third-party software. 
  • Man-in-the-Middle (MitM) attacks: intercepting communication between the third-party software and the organization to steal or alter data. 
  • Phishing attacks: leveraging third-party software to send phishing emails or messages to users within the organization. 
  • Credential theft: stealing user credentials through compromised third-party software. 
  • Malware injection: embedding malware within the software to execute malicious activities once installed in the organization’s systems. 
  • Denial-of-Service (DoS) attacks: using the third-party software to launch DoS attacks that disrupt the organization’s services. 
  • Privilege escalation: exploiting third-party software to gain higher privileges than initially granted, potentially leading to full system compromise. 

As a supplier to the defense sector in the United States, it’s essential our business meets the Cyber Security Maturity Model (CMMC), which mandates the minimum security posture for all government suppliers. At Prophecy, we believe that every third-party software supplier should aim for cybersecurity maturity that meets CMMC standards in the US, or Essential Eight standards in Australia.  Unfortunately, outside of government, there are still very few companies that set business standards for their suppliers or truly understand the security implications of the vendors they might choose, especially if they are selecting vendors based on price. Choosing an open-source product written by unknown contractors in Eastern Europe or Asia may not be the best decision either. Threat actors exploit the vulnerabilities of supply chains to infiltrate networks and steal data. It’s a topic to take seriously when deciding whom to trust as a supplier.  How do you know whom to trust? A reasonable start is some form of certification. This could mean an ISO27001 certification, certification of compliance with the CMMC, and certification of the actual product. Prophecy is ISO 27001 certified and is preparing for CMMC certification to ensure we can continue to supply the defense sector in the United States. Our software is also verified by a third-party company that specializes in vulnerability assessments. Both Snare Enterprise Agent and Agent Manager have attained the ‘Verified’ level from Veracode.1

Look for sovereign capability when selecting suppliers

In a global market with players from almost every country, it is critically important to consider working with partners close to home. Working with local companies means locally developed IP that meets the regulatory and legal environment in which you operate, local support in your time zone, and a level of integration and acceptance when it comes to cyber maturity, and cooperation around defense and intelligence. 

In addition to this, sovereign capability will drive the growth of jobs and the economy, which is very important after the disruptions to the global economy following the pandemic. Snare software, for instance, is developed in Australia with Australian resources, and we generate nearly 80 percent of our revenue outside Australia. 

If sovereign capabilities aren’t available, consider working with organisations in regions that have formed alliances and operate in similar ways, particularly when it comes to intelligence and cybersecurity. For example, Five Eyes is an intelligence-sharing alliance comprising Australia, Canada, New Zealand, the UK, and the US. This formal agreement at an intergovernmental level could be a factor when choosing a vendor if it is based in one of these geographies and is used by government or defense agencies in those countries. It’s an excellent recommendation for the commercial world that your supply chain and software products are secure if you are a trusted supplier to any of these agencies. 

Five Eyes also highlights the importance of secure supply chains, as any supplier to these agencies could potentially introduce vulnerabilities that allow access into other agencies in different geographies. 

How to ensure your supply chain is secure and your vendors are trustworthy

Start by asking if your suppliers: 

  • speak your language, reside in your time zone, have developers you know, and operate within a legal framework you can work with and use 
  • are trusted by the government in your country or in countries that have a level of engagement and cooperation with your own 
  • have a team in your country that is bound by your laws if it’s an international company. 

Reach out if you have questions about your supply chain or want to speak with our expert team about implementing Snare’s suite of services as a part of your trusted supply chain. We are trusted by over 4,000 companies across the globe for log management. We can help you create a stronger cybersecurity infrastructure now that it is more important than ever to trust your vendors and your partners. 

Contact Us
Key lessons from the 2024 Verizon Data Investigations ReportHow to Go from Patient Zero to Total Protection with a Strong Cybersecurity...