What Business Owners Can Do To Secure Digital Supply Chains

Ask data security experts what the current trend is in cyberattacks on businesses in the U.S. and around the world, and they will tell you point-blank: rising steadily, with no end in sight. In July of last year, a gang of Russian cybercriminals, REvil, attacked the IT networks of 800-plus Swedish supermarkets, town governments in Maryland, schools in New Zealand and about a thousand other businesses worldwide.

The attackers successfully discovered vulnerabilities in the Kaseya software employed by IT service vendors to manage large corporate networks remotely. The illegal entry into the Kaseya software opened the IT back doors of the many companies and governments that had installed Kaseya on their systems. In the language of cyber professionals, the REvil hackers turned the Kaseya vulnerability into a potent attack vector.

The vulnerability in corporate and organizational IT networks exists because most software products they use depend on prewritten packages vendors have created from open-source libraries. Cybercriminals target these third-party software supply chain components in software offered by vendors because they can, under the right circumstances, make what amounts to a master key to open those IT back doors.

Fortunately, there is good news. Companies should not feel powerless to protect their digital supply chains. Security researchers at universities and public interest nonprofit organizations have been tasked with identifying thousands of vulnerabilities in software components before bad actors can exploit them. The critical item is for business owners to be informed and proactively implement the fixes.

As with any business challenge, an owner must recognize the potential risk, identify the most cost-effective solution, inform and involve staff in the action plan, and then implement the remedy to minimize the risk. Here are three strategies Cambridge data security experts recommend that owners implement to protect the sensitive information that flows through their businesses and digital supply chains.

These automated fixes already exist, but many businesses have been slow to use them. GitHub, the online code repository, has created “automated robot code” that recognizes and fixes users’ simple vulnerabilities with the click of a button. With published software bills of materials (SBOMs) becoming more prevalent, additional services will become available over time.

Another challenge right now is persuasion. Only a small percentage of businesses have incorporated these effective tools and fixes within their IT procedures. For example, of the 1,896 GitHub users who received a notification on one such vulnerability, only 42 actually responded and downloaded the free automated patch. That’s about 2% or just one out of 50 — not the kind of response that’s needed.

This is because many vulnerabilities won’t be as easy to fix, given that many software packages can be patched only when their systems are taken off-line. From a practical business perspective, improving every vulnerability is not feasible. What’s important is to identify and fix the ones that are most likely to be exploited by cybercriminals.

The fact is that not all vulnerabilities are equally attractive to malicious actors. Some are very expensive to turn into a weapon and are therefore much less likely to be targeted. Fortinet, the cybersecurity software firm, reports that only 5% of vulnerabilities were exploited compared to the more than 10% that organizations monitored. This means a data security team can focus on the vulnerabilities that require urgent attention and set aside the ones that do not.

Going through this process thoroughly may seem overwhelming, but there is the benefit of new metrics that can be used to refine the vulnerability identification and remediation approach. Also, a helpful tool called the Exploit Prediction Scoring System (EPSS), created by cybersecurity experts and software developers, estimates the chances of a vulnerability being exploited given its essential characteristics — another utility that helps to calculate costs versus benefits.

Technologies are considered “critical” because they are the industrial control systems running factories and the operations software that manages electrical power grids and water supply systems — so critical they cannot be allowed to fail. Businesses, governments and communities rely on them daily, so they need to be as close to vulnerability-free as possible to run uninterrupted 24 hours a day, seven days a week.

Insisting that “hot patching” capability be provided by vendors in the software they sell to the operators of essential infrastructure helps ensure maximum protection against cyberattacks while allowing uninterrupted operations. Operators can then hot-patch vulnerabilities without shutting down entire networks, which means that electrical and water supply grids can continue to operate without the massive disruptions that would occur otherwise.

This measure may raise costs for software vendors and critical infrastructure providers. Still, the additional cost is a small price to pay for businesses so they don’t have to choose between cybersecurity and availability.

These three strategies don’t address every data security issue in the digital supply chain, but they do represent cost-effective, real-world solutions that can be implemented to ensure a higher level of cybersecurity in business operations. Businesses can defend against most cyberattacks that exploit known vulnerabilities by taking these actions.

Being proactive and taking these steps is what a conscientious business owner does to manage the risk of cyberattacks and potentially losing sensitive business and personally identifiable information. Think of it as an additional insurance policy that gives you much-needed protection at a minimal cost.