The Hidden Threats Behind Supply Chain Attacks

It’s no secret that we live in an ultra-connected world, where every person, every device and every system is linked together in ways that we could not have imagined even 10 years ago.

We opened the doors to a haunted house, and now we’re living in it. Every integration, every convenience, every shortcut has created new corridors and crawlspaces in our digital environment. Once those doors are open, there’s only one way to stay safe: know what’s lurking in the dark, and be ready to face it. 

More connected and complicated systems, means more complex protections being put in place to try to keep the monsters from our doors. It’s become commonplace to bring in third-party providers to run parts, or even all, of your security platforms. A dedicated cyber security team can be cost-prohibitive to maintain, which is why companies like SEP2 exist: to make industry-leading expertise accessible to  every organisation. 

But this shift has opened the door to one of the most chilling threats facing organisations today…

Supply Chain Attacks

*Cue thunder and lightning*

Unmasking the Threat: What is a Supply Chain Attack?

Just so we are on the same page – what do we mean by ‘supply chain attack’ exactly?

Supply chain attacks are a type of cyber attack that targets a less secure third-party vendor or partner to gain unauthorised access to a larger, more secure organisation. It leverages the inherent trust between the primary company and its suppliers to bypass direct security measures that otherwise would be caught.

We’ve seen this happen with Solarwinds, Target and more recently, Salesloft. In the case of Salesloft, the attack exploited an integration with a supplier used by multiple customers, highlighting just how interconnected these platforms are, and how dangerous these attacks can be.

The same can happen in reverse. Jaguar Land Rover was recently taken down, and the knock-on effect is hitting their suppliers, some of whom are no longer  receiving orders and may be forced to close down.

Now, for the big plot twist: the masked figure in this story? 

It’s us. SEP2 is also part of your supply chain.

 

 

For existing customers, and hopefully soon prospective customers, SEP2 forms part of the supply chain and, in some cases, has access to deep parts of your networks and systems.

There’s only so much silver bullets and cloves of garlic can do, so what do we do to  protect ourselves and by extension, our customers, against this current trend of supply chain attacks? 

We don’t rely on luck, charms, or wishful thinking. We rely on three things: technology, policies, and procedures.

 

Technology

Step one for us has always been to have the right technology in place.

We eat our own dog food, so to speak. SEP2 was our first customer. By treating ourselves like a customer, we ensure that we are putting the same protections in place that we would recommend to anyone else. If it’s good enough for our customers, it’s good enough for us. 

 

Policies

We enforce what we see as best-practice policies wherever we can. Here are a few examples:

• From day one, we’ve had separate accounts for administrative and normal duties, meaning that if my account gets compromised, an attacker can only access my resources. They can’t laterally spread across our environment using the most common of accounts.
• Our access to customer environments is entirely separate from the SEP2 environment. Different accounts, different domains, different IP addresses and firewalls. There is no way for my machine to connect to a customer environment directly.
• All accounts follow the principle of least privilege, require multi-factor authentication regardless of  sensitivity, and use additional hardware authentication when doing anything that could be considered sensitive.

None of this is a magic potion. It’s not new. Putting it into practice, and sticking to it, takes time, effort, and discipline. Where we see so many people fall over is where they fail to adhere to some of these basic principles.

 

Procedures

Even with the best technology and policies in place, you still have ghoulish humans involved in using and maintaining your systems.

We need to make sure we put in detailed plans and procedures to reduce the risk of human error. Some examples we follow:

• Skills Matrices to ensure you have the right people, with the right skills to do the right roles
• PDPs, good people management, training plans
• Tactical reminders in systems to prevent misconfigurations 

Let’s not forget that our primary purpose is to help users do their jobs. We can’t lock our systems in the dungeon and let security get in the way of productivity, otherwise a user will find a workaround. They always do. 

This is especially true in a tech company, filled with very technically savvy people. When these little devils are involved, you can guarantee you will lose the battle of wills against them if you try to block how they want to work.

 

Why People Are Your First Line of Defence Against Supply Chain Attacks

There unfortunately is no witches brew to magically make people experts and it’s no secret that there is a shortage of people in this industry. Building expertise takes time, investment, and a genuine willingness to nurture people into the roles they need to grow into and that’s something most organisations are not willing to do.

At SEP2 we invest heavily in our people because we know that even the best technology and policies are only as strong as the humans behind them. That means: 

• Comprehensive training programs 
• Clear career progression paths
• Competitive compensation packages
• Creating a culture where continuous learning is valued and supported

Our internal training is designed to boost the overall skillset of our teams, while also  increasing their awareness of emerging  threats that could affect both our organisation and our customers. Emerging threats such as supply chain phishing are becoming more prevalent, so we make sure our teams know what to spot before those threats ever become a problem. 

Managing Risks in a World of Supply Chain Attacks

Risks come in all sorts of shapes and sizes. Some are obvious, others hide in the shadows. By preparing for risks before they happen, we can reduce both the chances of them occurring and the impact if they do.

At SEP2, we identify risks across our people, processes, and technology. However, even with all the right protections, sometimes things still go bump in the night. That’s why we’ve created incident response playbooks for every  risk we’ve recognised. And more importantly, we take a lessons-learned approach. If something does go wrong, we ask: how can we do better next time? Because the real horror story is repeating the same mistake twice. 

 

Key Takeaways for Protecting Against Supply Chain Attacks

I hope after reading through this, you feel more confident about how seriously SEP2 takes threats (hopefully all the Halloween jokes don’t make you think otherwise!), especially the ones that don’t always announce themselves.

Here’s the real question: are all of your other partners doing the same?

I think everyone should be challenging their supply chain to prove they’re trustworthy and not just a villain in disguise. 

Anyone with access to your organisation’s systems or data should be held to a few basic tenets: 

• No organisation should be implicitly trusted
• Limit the exposure and access of each supplier
• Enforce base security requirements and ask for proof
• Record your risks. Have a plan for when they fail

The supply chain apocalypse is not guaranteed. We’re not doomed to live in this haunted house forever. Together, we can push back against these latest threats. Not with silver bullets, but with smart decisions, strong partnerships, and a shared commitment to doing better.