Supply chains as a way in for cyber criminals

Software also has supply chains. Applications, for example, are often put together using various components from different developers of apps. These components sometimes have weak points that could be exploited by an attacker. By being aware of the issue, the potential risk that this entails can be reduced.

Imagine you own a company that specialises in the production of smoked meat products. You’re on personal terms with the farmer from whom you get your animal products, have visited her farm and know how the animals are kept and fed.

Your customers value this relationship of trust, which does not just exist between you and your supplier, but that has also developed between you and your customers in recent years. Customers can taste the quality when enjoying your delicacies.

Let’s now take this thought experiment further and step into cyberspace. Imagine you operate an online shop for your business. Instead of building the online shop from scratch, you decide to make use of existing software. There are a range of products for this on the market, from open source options to expensive, tailored solutions. You may well leave the decision up to your web host and use the software that they operate.

The question now is: do you know your suppliers for your online shop as well as you know the supplier for your smoked delicacies? Do you know what technology was used to build your online shop? What components were used? Which developer do the third-party components comes from? How secure is the programming for these libraries, and are the versions used for your online shop kept up-to-date and maintained? If you don’t know, why not?

How well do you know your online shop?

Ideally, you want to know your online shop as well as you would your farm supplier. That’s because the components that make up your online shop are also part of your supply chain. And, by extension, a potential point of attack by which you could come to harm in cyberspace. Cyber attacks via supply chains are not a new phenomenon. Successful attacks have been documented for a while now. They range from comparatively harmless components that mine Bitcoin on the targeted web servers to an attack which caused a company to temporarily close its premises as its payment provider had been hit. Attacks via supply chains seem to pay off, as they are currently very popular among cyber criminals.

It’s commonly said that the question is not ‘if’ you will be the target of a successful attack, but ‘when’. So it’s particularly important to prepare for such an incident. Being prepared means being familiar with your supply chain and, for example, knowing which components make up your online shop. This means you’ll know which software your shop uses and which developer it comes from, so you’ll then be in a position to judge whether a given weak point or attack might affect you. It also means you can form an opinion of your software supplier, ideally establish a connection with them over time and call upon them in the event of an emergency.

Make the most of the opportunity to look for a security partner in peace, get to know them and build up trust. They will be able to give expert support if something were to happen.

Due to the current situation, Connecta Bern will again be held as a digital event in 2021. Connecta is renowned for shining a light on the diverse nature of digitization and this year will be no different with content presented across the three formats of Connecta Blog, Connecta TV and Connecta Talk. Find out more here: www.swisspost.ch/connecta.