Software Supply Chain: The problem with outsourcing everything
Why would hackers attack 100 organisations individually when they can take them all down by attacking a single software product they all use?
In the last decade, the global tech landscape has developed at lightning speed, and many of us are struggling to keep up. Most of us have got to grips with the basics — Facebook, Slack, Zoom — but terms like ‘the cloud’ are harder to understand.
Far from a niche area of tech, the cloud is becoming a crucial tool for businesses, often with unwanted implications.
Every day, organisations looking to modernise their data practice are moving to cloud hosting and Software-as-a-Service (SaaS) based products. For those not well-versed: traditionally, a website would be hosted on a single server, usually in a data centre. Cloud hosting, on the other hand, sees a company’s data distributed across different servers, usually in different places, which are all connected to form a network. This network is called the cloud.
Many companies migrate to these systems as they’re easy to manage and can integrate with other complementary products across an organisation, whilst also receiving updates for the software in real-time.
Across any given industry there are a small set of market leaders who provide the software, and the largest organisations in the world will naturally prefer to use these top solutions. They are easy to trust, have strong industry presence, and justification for procuring them is smooth for internal budget holders and external shareholders.
What we don’t always think about are the macro-implications: now we have a large number of organisations who are heavily reliant on a single organisation to provide a common product.
Take a look at any accounting software used across major companies. If it’s managed by a cloud-based third-party on behalf of the company, then a single attack to that software provider would not only impact the accounting system of the individual company, but others who use that same product.
Global industries putting all their software eggs in one vendor’s basket is a very attractive proposition for an attacker: a single attack can scale across many different companies.
In the case of Ransomware, attackers have asked themselves the following economic question: why spend time managing and attacking 100 firms individually, receiving only a small amount of capital from each of them, when I can look to the biggest business-to-business software providers in an industry and target those, charging a huge amount to restore their systems so they can continue to deliver services to their clients?
Their answer has been clear: we’ve started to see a global increase in software supply chain attacks. The impact on business, from down-time and lost revenue, is in the billions of dollars.
Protecting ourselves means looking in unexpected places
But what can organisations do? Look towards the space agencies, for starters.
Redundancy and failover — the ability to switch automatically and seamlessly to a reliable backup system — have always been key concepts in space missions, ensuring that everything is built to a high standard, but it’s assumed that what can go wrong, will go wrong.
What does that mean for the rest of us that spend most of our time below the outer atmosphere? First, organisations need to have catalogued all their software products, mapping these to their dependent business functions. We need to know which are mission critical for us to continue trading, as these create the greatest business risk. These should be prioritised, back-up providers evaluated, and a redundancy plan put in place to ensure any impact is minimal in case of a failure.
This needs to be built from the ground up. When organisations run their procurement process for these mission critical systems, a back-up provider should be identified and a failover deal should be negotiated in case the primary supplier goes down.
Lastly, but something which is often overlooked, back-ups need to be stored in a format usable by a different product, instead of being tied to a single product.
Attackers gravitate towards the greatest reward for their input, and supply chain attacks on software providers are an attractive way to scale the impact of their work. Fortunately, organisations can put in place sufficient failovers to mitigate many of the risks they face when their supply chain becomes the target.
Originally featured in the Evening Standard