Cybercrime remains a major global concern. Cybercriminals are using increasingly sophisticated approaches and exploiting all possible means to intercept valuable data or disrupt IT systems. Organizations targeted and affected by these attacks, including businesses, critical entities, governments and entire economies, face severe financial consequences and operational disruptions. According to estimates from Statista’s Market Insights, the global cost of cybercrime is expected to increase over the next four years, rising from $9.22 trillion in 2024 to $13.82 trillion in 2028.
One channel used by hackers that is quickly becoming a major concern is the IT supply chain. Cybercriminals exploit vulnerabilities of third parties in an organization’s supply chain such as vendors, suppliers, and logistics and transportation companies to infiltrate the organization’s IT systems or gain access to physical components destined to be implemented in products. Speculation that recent device attacks in Lebanon were the result of third-party manipulation highlights the critical need to better secure not only software supply chains, but also hardware. But how big a threat does the IT supply chain really pose, and what can be done to minimize the risks?
Chief Product Security Officer at Alcatel-Lucent Enterprise.
The weakest link
The 2020 SolarWind cyber attack, which compromised the systems, data and networks of thousands of organizations, including the US government, is the most notorious example of a large-scale software supply chain attack. But despite the disclosure of the case and recognition of the need to address the issue of securing the supply chain, there have been numerous others. These include attacks on Okta, Norton, 3CX, JetBrains, Airbus and Microsoft, all of which have been equally crippling to the companies affected. Since 2021, cyber attacks targeting supply chains have increased by 431%, according to a report published last year by insurance provider Cowbell. And industry analysts see few signs of the problem abating; Gartner predicts that the cost of these attacks will rise from $46 billion in 2023 to $138 billion in 2031.
For organizations and businesses, the threat of exposure to attacks through the supply chain is a major cause for concern. In contrast to the full visibility and control they have over their own systems, organizations to date have had little assurance that their suppliers and partners have implemented the same high security standards. In fact, a recent white paper published by Pakinomist and Cargowise highlighted how 94% of supply chain managers were concerned about vulnerabilities in their technology stack, with 24% very or extremely concerned.
Regulators seek to bring standardized security to the supply chain
Such is the concern surrounding the IT supply chain threat that authorities are beginning to introduce regulation to limit the number of incidents. In October this year, the new EU directive on network and information security version 2 (NIS2) entered into force. This new legislation was introduced to establish a uniform and improved level of cyber security across EU countries. Critically, companies that supply goods or are part of IT supply chains must also comply with NIS2, along with organizations operating in sectors such as public administrations, transport, energy, health and banking.
NIS2 will certainly help raise awareness of the need to secure network infrastructure and ensure that security measures are adhered to throughout the IT supply chain. But in addition to complying with the new ruling, organizations and technology providers must ultimately take responsibility for ensuring that their valued data – and that of their customers – has the highest level of protection against theft or system attacks. But how do they approach it?
Mitigating the risk of supply chain attacks
Each company or organization has its own unique supply chain composed of relevant third parties necessary to bring their specific solutions or services to market. As such, there is no ‘one way’ to secure the supply chain, but there are measures that all companies should take to ensure that their supply chains – both for software and physical components or products – are as watertight as possible, these include:
Screening of suppliers: Before selecting suppliers, comprehensive checks should be carried out to verify security practices and ensure credibility. Periodic audits: Conducting regular audits and checks on supply chain partners will ensure they maintain the expected security measures SLAs: Implementing contractual security requirements with logistics providers to ensure they have appropriate security measures in place, such as tamper-proof seals on trucks Monitoring status for goods in transit: Technologies such as RFID and AI can help track the location and status of goods throughout the logistics flow.
The use of Gen AI to better monitor the location of hardware during transit
The integration of Gen AI into logistics operations is proving to not only make IT hardware supply chains more efficient, but also significantly more secure. Thanks to its ability to extract data, process and structure unstructured data, such as emails, it provides an unprecedented level of visibility into the flow of goods, tracking both their location and ownership at every stage.
The integration of Gen AI means that logistics teams are always aware of where shipments are, who is responsible for them, and can quickly respond to potential security threats even before an incident occurs. This level of insight and control is invaluable to organizations seeking peace of mind that all elements of their supply chain are well protected at all stages of production and transfer and that they pose no risk of interception or tampering.
As cybercrime continues to grow in sophistication and scope, the threat posed by IT supply chain vulnerabilities cannot be overlooked. Organizations must confront the reality that their security will only ever be as strong as the weakest link in their supply chain. New regulations such as NIS2 will be essential to ensure an appropriate and standardized approach to security across the supply chain. However, for their own peace of mind and to ensure the integrity of their products and protect their valuable data, organizations should look to diligently select supply chain partners, create a culture of transparency and use advanced technologies to ensure accurate tracking and monitoring of purchased components and products. Given the relentless levels of cybercrime today, investing in supply chain security and resilience to protect oneself from attack is a relatively small price to pay.
We have presented the best business VPN.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in the tech industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, you can read more here:
