High-profile attacks, such as the SolarWinds breach which affected more than 18,000 organisations, occur when cyber criminals successfully breach a vendor that forms part of a software supply chain serving other businesses. Because those businesses implicitly trust their chosen vendors, they deploy their software, not knowing that it contains malicious code or security practices - such as patch management - that are not being correctly applied.
The problem is alarmingly widespread. According to a recent report by security firm CrowdStrike, almost half (49 per cent) of Australian organisations experienced a software supply chain attack during the past 12 months. Concerningly, the report found 55 per cent of Australian organisations lost trust in a key supplier due to security concerns in the same period.
Despite these issues, many organisations are still not taking steps to remedy the situation. Of those surveyed, only 44 per cent say they have actively vetted the security of their suppliers. This comes at a time when a recent report by cyber security firm, Mimecast (2021), based on a global survey of 1,225 companies that included Australia, found that 61 percent of businesses were disrupted by ransomware at some point during the past year.
The benefits of the ACSC Essential Eight
One of the most effective steps a business can take to lessen its chances of falling victim to a software supply chain attack is to implement the measures outlined in the Australian Cyber Security Centre’s (ACSC) Essential Eight security guidelines.
Updated in mid-2021, these guidelines clearly map out the steps an organisation should take to improve its level of cyber security. The eight steps include areas such as deploying multi-factor authentication (MFA), undertaking patching of operating systems and applications, and conducting regular data backups.
The benefit of the Essential Eight guidelines is that, once implemented, they enable an organisation to have a much better chance of withstanding most of the IT security threats they are likely to face. The guidelines also do not require expensive measures to be taken, which allows their adoption by even small businesses.
Adherence to the Essential Eight is also important if an organisation wants to conduct business with an Australian government department or agency. All will require confirmation that the guidelines have been fully implemented before a supply contract can be signed.
Essential Eight and supply-chain attacks
Confirmation of Essential Eight compliance will likely also be required if a business is a client of another organisation that is supplying government. Supply-chain security is regarded as vital in both the private and public sectors.
Downstream compliance will also be needed with a business having to check the security status of all its suppliers. This is because it only takes one weak link in a complex supply chain for all organisations involved in it to be put at risk of a cyber attack.
To confirm that all parties in a supply chain have effective security measures in place, businesses should create a centralised function that can provide consistent and thorough assessment. A comprehensive checklist should be drawn up to ensure that each vendor is reviewed to ensure they meet all requirements.
It is important that a business understands the minimum security requirements it is happy to accept, in line with its risk appetite. Also, those requirements should be scaled up if a particular vendor is to be granted access to sensitive data, applications and systems, again in line with the inherent risk.
This is where the Essential Eight can add significant value. Rather than needing to reinvent the wheel, businesses can use the guidelines as part of the assessment process.
Alternatively, organisations can opt to deal with larger software vendors who will most likely have stringent security compliance programs and relevant certifications in place. This will serve to lessen the chances of falling victim to an attack, but often engaging with larger vendors can come with significant expense which can be out of reach for small to medium businesses.
Cyber supply chains will continue to be a popular avenue for cyber criminals seeking to cause disruption and losses to business of all sizes. However, by implementing measures such as those detailed in the Essential Eight, businesses can reduce the likelihood of falling victim to an attack on them directly. Checking with vendors, partners, and suppliers as to their adherence to a framework such as the Essential Eight can further help to reduce the risk of business disruption due to cyber attacks.
Alex Ward, governance, risk and compliance lead, Security Centric
