Supply chain security is understandably a hot topic in cyber risk management. With the increased use of APIs, dependence on third-party code, use of cloud computing, and more, companies choosing to outsource IT services create a more interconnected and complex IT ecosystem in which supply chain vulnerabilities are harder to identify and control.
A spate of high-profile security breaches by skilled hackers has hit companies through their supply chains in recent years, often resulting in sensitive data being lost or stolen. This article takes a look at supply chain data loss prevention (DLP) and why your company can no longer only worry about the security of exit points from inside your own IT environment.
Supply Chain Security and Data: What’s the Connection?
A supply chain refers to a network of organizations that coordinate to deliver a product or service from production to the final customer. This includes manufacturers, suppliers, vendors, service providers, transporters, wholesalers, and more. With growing digital interconnectivity, any weak link in this chain potentially exposes the whole network to security risks, including data loss.
If a single supplier doesn’t properly protect its systems and becomes compromised, data breaches can spread throughout the entire supply chain. Companies regularly share sensitive data with their supply chain partners to ensure smooth operations. The software supply chain is particularly hard to manage as companies depend on other applications and open-source code to deliver software; weaknesses in third-party code or apps code can mean your data gets compromised.
If any of these partners have poor data security practices, data loss or theft is a common outcome, even if your own data security strategy is robust. There are also insider threat risks with these supply chain partners where one of their employees acts maliciously, with the result being your data is lost or sold to a third party.
Threat actors have shown in recent years that their key objective in cyber attacks is often to steal sensitive data. Ransomware evolved from merely locking down end-user systems and servers to holding companies to ransom for stolen data. Many advanced phishing scams dupe employees into disclosing sensitive details or downloading malware that steals data from endpoints.
Aside from data protected by regulations like GDPR and PCI DSS, companies also store proprietary data like intellectual property that’s extremely valuable in providing a competitive edge. All of this is to say that your data security approach needs to look beyond your own systems to the entire supply chain.
Supply Chain Attacks That Compromised Sensitive Data
To understand the true significance of specific cybersecurity risks, it’s always worth examining some real-world incidents. Let’s take a look at some recent supply chain attacks that involved threat actors compromising sensitive information.
- MOVEit: A severe supply chain attack hit large organizations like the BBC and British Airways in June 2023. By infecting the MOVEit file transfer app with malicious code, hackers managed to steal a treasure trove of personal data from companies that relied on the MOVEit app.
- 3CX: This complex breach birthed the emergence of the double supply chain attack as a new attack vector. North Korean hackers inserted a malicious backdoor into 3CX’s VoIP software and anyone who downloaded the affected update unknowingly installed data-stealing malware on their device. The double supply chain attack stems from the fact that the initial compromise of 3CX started by exploiting a financial trading application and moving laterally into 3CX’s build environment.
- SolarWinds: One of the most notorious cyber breaches of all time, the SolarWinds attack involved hackers breaching the IT monitoring platform Orion (produced by SolarWinds). By infiltrating this app, the threat actors were able to access sensitive data belonging to organizations that used Orion, including U.S. government agencies and private companies.
Requiring DLP Solutions Improves Supply Chain Security
It’s not exactly unreasonable to demand a high level of data protection throughout your supply chain. With all the dependencies involved in modern supply chains and the number of opportunistic cybercriminals targeting them, exercising caution by demanding high standards is a prudent approach.
Many companies now recognize the need to adopt a zero-trust strategy in which anything or anyone trying to access their environment and data does not get trusted by default. Instead, access requests require continuous, real-time authentication based on context and other risk factors. While zero-trust will reduce supply chain risk in the long run, the road to implementing an effective architecture is potentially lengthy, costly, and complex to navigate.
A more immediate way to improve your security posture is to set higher standards for your supply chain partners, vendors, and service providers. Require as part of your contracts for them to have a leading DLP solution installed in their environment. This requirement drastically increases the confidence you can have that data loss or theft from supply chain attacks is far less likely to befall your business through exit points beyond your visibility or control.
If you feel hesitant about tweaking your information security approach in this way, bear in mind the many precedents for exactly this type of demand.
- Becoming a U.S. government contractor requires compliance with the NIST framework.
- Consultants and service providers that work closely with public companies, particularly in fields like financial management, internal auditing, and legal services, may be expected to demonstrate security controls in line with SOX compliance to win contracts.
- Public sector organizations and government departments often require ISO 27001 compliance from vendors, particularly for contracts involving sensitive data or critical infrastructure.
Requiring that supply chain partners have a DLP solution in their environment is no different than these examples – it’s an important way to strengthen supply chain management for your company.
Endpoint Protector
Endpoint Protector by CoSoSys is an industry-leading DLP solution that works across all the types of operating systems likely to be used within a supply chain (macOS, Windows, and Linux). Content-aware protection, enforced encryption, and data discovery features all help to keep your company’s confidential data more secure.
Frequently Asked Questions
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.