Protecting our digital core: navigating evolving supply chain risks

As technology becomes increasingly integral to our operations, we must acknowledge the growing complexity of our digital supply chains. 

The recent compromise of GitHub Actions has captured global attention including the GitHub community, marking another major software supply chain attack. During this attack, the attackers exploited vulnerable workflow configurations to compromise the continuous integration/continuous delivery (CI/CD) pipelines of almost 23,000 repositories, primarily targeting technology and financial services organisations. This type of incident underscores the critical need for a strategic shift in how we approach cyber security. 

This incident clearly demonstrates how attackers target third-party actions or dependencies to compromise software supply chains, potentially resulting in unauthorised access, data breaches, and code tampering. It is just another eye opener for the industry to bring a strategic shift in how we approach digital supply chain security going forward. 

Our reliance on interconnected systems and third-party components creates numerous vulnerabilities that expose businesses to higher risk, affecting their overall security posture negatively. However, following structured security practices can help organisations significantly reduce potential impact on operations and protect business reputation. 

So, what should organisations consider? 

We recognise the need to make operational and strategic changes that can help build a resilient, robust, and secure digital space for both businesses and clients. These recommendations fall into key categories of assessment, prevention, detection, and response: 

- Assessment 

Vendor and partner due diligence: We must all rigorously assess the security posture of our vendors and partners, ensuring they adhere to our standards. This isn't just a one-time check; it's an ongoing process. 

Supply chain visibility: Organisations need to map their complete digital supply chain, including all dependencies, third-party components, and potential points of vulnerability. You can't protect what you don't know exists. 

- Prevention 

Strengthening internal development practices: All development teams must prioritise secure coding practices and implement robust testing protocols. This includes pinning dependencies, implementing software composition analysis (SCA), and conducting regular security audits. 

Review of least privilege access: Reviewing and enforcing the principle of least privilege across all systems is essential to minimise potential attack surface and limit the impact of any successful breach. 

Security awareness training: Ongoing security awareness training for all employees is essential. Everyone plays a role in protecting our digital assets. 

- Detection and Response 

Proactive planning: Plans should address a critical question - how will a supply chain attack impact the business and clients? Once that is clear, management should develop comprehensive contingency plans to minimise disruption by implementing solutions such as robust backups and system recovery processes. 

Monitoring: It is not uncommon for attacks to go unnoticed due to lack of effective monitoring. Hence, it is crucial to implement enhanced monitoring and logging processes using technologies like SIEM, EDR, and API security tools to detect anomalous activity and respond quickly before it escalates to a disaster. 

Strategic considerations 

Strategic investment: Surprisingly the majority of industry to date still believe securing their digital assets is an expense. Today, information is the biggest asset for any organisation and protecting that information should always be a priority. Securing supply chain requires investing in tools, personnel and processes. It is an investment in business continuity. 

Zero-Trust implementation: Apply zero-trust principles to your supply chain by verifying every component, connection, and credential, regardless of source or previous validation status. 

The cost of inaction 

According to recent industry reports, the average cost of a supply chain breach now exceeds £3.5 million, with mean recovery times stretching beyond 280 days. Organisations implementing strong supply chain security measures have demonstrated 60% lower breach costs. 

In essence, we all need to move beyond reactive security measures and adopt a proactive, risk-based approach that aligns with frameworks like NIST's Secure Software Development Framework (SSDF). This requires a collaborative effort across all departments and a commitment to embedding security throughout our organisational culture. 

Let's prioritise building a resilient and secure digital ecosystem that protects our business and our customers. What steps is your organisation taking today? 

We will be attending CYBERUK25 on the 6-8th May. Please do come and visit our experts at stand A9 to discuss this, or to chat about any cyber security challenges or questions you have.