Attacks on IT supply chains have been on the rise for years, according to the experts from the IT Security Competence Group of the eco Association at their meeting in November. In the Cologne-Ehrenfeld office, the experts developed holistic and proactive strategies to effectively protect their own IT, summarising their findings in six key points.
“The frequency and complexity of attacks on supply chains are likely to increase, as they are more effective and potentially more lucrative for attackers than other attack scenarios,” stated the experts from the eco IT Security Competence Group at their meeting in November at the eco office in Cologne-Ehrenfeld. Supply chain attacks are a form of cyberattack in which attackers use a company or organisation’s software supply chain as a gateway to spread malware or steal data. The consequences of supply chain attacks go beyond financial losses and can also cause damage to reputation and trust.
“Attackers exploit vulnerabilities and trust between customers and service providers to spread malware or infiltrate networks,” said Maik Wetzel from ESET in his presentation. Using prominent examples such as NotPetya, Kaseya and Solar Winds, Wetzel illustrated the far-reaching impact that attacks can have on the supply chain.
Hand in hand for more resilient IT supply chains
“Modern software supply chains are becoming more vulnerable to attacks,” stated Matthias Riedel from SAP. He gave a global overview of the economic and social consequences of attacks. This is because they are extremely complex, and it is currently a challenge to fully understand them. Riedel outlined the opportunities that come with using cloud-based software solutions for supply chains and shared insights into SAP’s security measures. He also gave some examples of how SAP protects and optimises its own supply chains and those of its customers, for example through encryption, certification and artificial intelligence.
Attackers do not always act immediately. A network is often infiltrated first, and the subsequent attack only takes place after a delay – often months later. The participants noted that supply chain attacks are not just technical challenges, but require comprehensive cooperation and responsibility from all parties involved at an organisational and legal level: a holistic and proactive security strategy is required that covers various aspects of the supply chain, including the selection and verification of business partners, process control, system updates, employee training and emergency preparedness. The experts came up with six tips and strategies on how companies can protect themselves:
- Choose your business partners carefully. You should only enter into business relationships with reliable and reputable partners. Certifications such as ISO 27001 can be an indicator of reliability in terms of security against attacks on the supply chain. Regularly check whether your partners’ security measures are still up to date.
- Implement multi-level authentication on your systems for third parties. Even if the systems are compromised, there is still a second security hurdle for attackers to overcome.
- Have a contingency plan. A well-maintained emergency manual for all eventualities is a must. Otherwise, there is often a risk of a lack of planning in an emergency, which leads to incorrect decisions in stressful situations. A contingency plan also includes well-secured and regularly checked backups.
- Train your employees. Although people are often seen as the “problem” in IT security, they are actually the key to the solution as the “last line of defence”. If a system is compromised, all technical security measures have already been overcome and only the people themselves can still recognise the problem. Well-trained and sensitised employees can not only defend against conventional attack strategies such as phishing attempts, but can also recognise threats that have already occurred at an early stage.
- Monitor all data flows in your company. Proper monitoring often offers the best chance of recognising potential attacks at an early stage. Especially if many third parties are connected to your own systems, surveillance of these interfaces is mandatory.
- Encrypt data along the entire supply chain. No attacker should ever have easy access to unencrypted data streams.
The Competence Group meeting was moderated by Markus Schaffrin, Head of Member Services, and Oliver Dehning, Leader of the eco Security Competence Group. Each presentation was followed by an open discussion among the participants, during which questions could be asked, and comments and suggestions made regarding the presentations. The participants shared their experiences and opinions from their respective industries and organisations. The meeting ended with networking over finger food, where the participants took the opportunity to continue exchanging ideas and networking.