Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Don’t break the chain: How to secure the supply chain from cyberattacks

By Roman Arutyunov
supply-chain-sec-freepik1170x658v6.jpg

Image by Freepik

June 10, 2022

From the energy sector to car manufacturing, every major business is likely part of a lengthy supply chain. And, as the name suggests, if even one small part of the system fails, the entire ecosystem can weaken or collapse.


Today, no organizations are immune to the rapid increase in cyberattacks — even cybersecurity companies themselves. This is especially true since the beginning of the war in Ukraine, which has been defined not only by physical assaults, but by cyber warfare on everything from the Ukrainian government to U.S. airports.

In addition to this volatile cyber landscape, there are more opportunities for hackers to infiltrate the supply chain as collaboration and data sharing between businesses grows. Many organizations are undergoing digital transformation and unlocking the sheer amount of data they possess to enable information-based decision-making across the entire ecosystem. If their systems and data aren’t secured, they can be exploited by malicious actors. 

 

Following pandemic-related disruptions and shortages, organizations can’t afford a devastating cyberattack. If one company is impacted, the entire supply chain can face financial damages from supplier delays, or even become a victim themselves through shared systems. In fact, a satellite network supplied by the U.S.-based Viasat was hit by malicious software, shutting down remote access to thousands of wind turbines across Europe and impacting the Ukrainian military.

 

To avoid a devastating cyberattack, organizations in the supply chain need to understand prominent security threats, system vulnerabilities, and interactions across the ecosystem. From there, leaders across the ecosystem need to improve visibility into supplier security standards, update their own security processes, and adopt a collaborative security architecture.

 

Current Security Threats and Pitfalls 

Recently, digital extortion group Lapsus$ breached Okta, an identity management platform, through one of the company’s customer support third-party providers (owned by Sitel Group) via a technician’s compromised account. Questions had previously been raised regarding Sitel’s security, illustrating how the “weakest link” can be the hacker’s way into a multitude of operations across the supply chain. 

 

These types of breaches typically originate through unsecured connections such as VPNs and stolen credentials due to phishing or spraying attacks targeting poorly managed or unmanaged accounts. This is common in remote access scenarios when a supplier or outside vendor employee has access to a company’s systems. Attackers can sell these credentials on dark web forums, and companies have to pay up in order to get them back or face the daunting task of rotating credentials on tens of thousands of assets. Once attackers are in they can spread laterally across a company’s systems and even further into the supply chain since these systems are often interconnected.  

 

Many companies today are sticking to basic security rules and protocols. When a company procures services or equipment from a supply chain partner, they’re baking requirements into contracts where the servicer agrees to the same security policies as the client. 

 

Even if the host company has an advanced security strategy in place, the other company likely has different practices. It either takes time for the servicer to get up to speed on what is outlined in the contract (likely months after service begins), or the upgrades simply never occur. Typical contracts don’t set strict timelines for implementation or routine check-ins to ensure the upgrades were successful. Further, if a servicer has multiple contracts in play with varying security requirements, it could be left with a piecemeal security strategy in an attempt to meet these conditions. 

 

Suggested Changes to Standards, Processes, and Increased Cooperation

With the recent rise in attacks, new mandates from the federal government, and a variety of technologies and solutions on the market, many companies within the supply chain may not know where to start to address these issues. However, a few simple practices can be implemented to secure the supply chain. 

 

First, all organizations enlisting the help of outside contractors or suppliers should increase visibility into if security protocols in the contract are being met. This includes setting required timelines, scheduling regular check-ins, and completing a final security review and/or test. 

 

Additionally, these security requirements for organizations and their suppliers should be updated to not only protect them from today’s threats, but future-proof against evolving tactics. Specifically, companies within the supply chain should review and adhere to National Institute of Standards and Technology (NIST) standards. Near the end of 2021, the organization closed the comment period for “SP 800-161” — a draft of updated cybersecurity practices specifically designed for the supply chain. This document will be updated and finalized in 2022, and companies should ensure these standards are not only reflected in their practices, but in the security requirements for their suppliers. 

 

Finally, an organization should utilize a distributed zero trust security approach for interactions with any other entity. This includes increasing control into what machines and systems are interacting with what owned assets, protection against potential vulnerabilities in those systems, as well as control over who, when and how the supplier is connecting to these systems. Additionally, the supplier should consistently and immediately communicate any potential vulnerabilities, such as when a team member leaves the organization, so the host company can delete any unused log-ins. 

 

Architecture Updates 

In order to meet these new security standards and protection requirements, organizations across the supply chain should invest in and enforce distributed zero-trust identity and access management protocols (IAM). Essentially, IAM protocols only enable select individuals, technologies or systems to access specific assets for a key reason/action, providing complete control and visibility to who, when, and how someone interacts with the system. 

 

While the steep rise in cyberattacks on essential operations is alarming, it does provide a crucial opportunity for organizations, up and down the supply chain, to understand the evolving threat to their business and take action. From increased visibility into supplier security upgrades to new cybersecurity approaches, industries reliant on their supply chains can better protect themselves.

 

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

KEYWORDS: cyber security risk management supply chain third party security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Roman Arutyunov is Co-Founder and VP of Products at Xage Security. 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Red laptop

Cybersecurity leaders discuss Oracle’s second recent hack

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Security Podcast- Welch.jpg

    Listen to Michael Welch and how to address fourth-party risks and improve supply chain security in our latest The Security Podcast episode

    See More
  • 5 mins with Jane Lee

    5 minutes with Jane Lee - The fraud supply chain, cyberattacks and more

    See More
  • -data-cyber-supply-freepik

    The big takeaway from the Kaseya supply chain/ransomware cyberattack

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing