Protecting Your Digital Supply Chain – Three Tips

Protecting Your Digital Supply Chain – Three Tips

Jul 21, 2021 | Cybersecurity

digital supply chain

In his 2001 book From Analogue to Digital Supply Chains Tony Hines coined the term “digital supply chain” to explain the electronic distribution of goods or services that had previously been supplied in physical form.  The digital delivery of media including movies (Netflix), books (Kindles), and music (MP3s), transformed the consumer experience. Similarly, the delivery of business software and services digitally (not in a box!) transformed the organizational experience.


The digital supply chain has remained a relevant concept especially as recent cyberattacks leverage digital supply chain vectors to exploit weakness in the interconnected digital business landscape. The massive SolarWinds attack stands out as a significant, far-reaching event that has left many organizations on high-alert. To compound SolarWinds, this summer’s Kaseya supply chain attack has many organizations wondering about the security threat any third party software provider can introduce.


Before signing a contract with a software provider, there are questions your organization can ask to understand the software’s security implications to the organization’s digital supply chain. After purchase and installation, there are actions your organization can take to protect against third party software vulnerabilities and compromises. Here are three quick tips to implement before signing a contract with a third party software provider and concepts to implement during the relationship.


Ask Questions

You might ask a potential software vendor these questions:

Does the vendor have an integrity process that checks for software updates?

Can vendor software comply with security best practices, like running in least-privilege mode? (Many software platforms are required to run in privileged mode which means the software can take full possession of the system on which it is running.)


Penetration Testing

Aside from questions (and relying on vendor attestations), penetration testing can provide valuable insight as to whether an application has strong business logic and security controls in place (e.g.: authentication, authorization, etc.). Also called a pentest or ethical hacking, penetration testing is an authorized, simulated cyberattack demonstrating potential for unauthorized parties to gain access to a system. Security Magazine offers a comprehensive overview of why penetration matters and practical steps to build a penetration program.




Behavior Monitoring

With vendor software that companies purchase and then install in their own environments, such as SolarWinds and Kaseya, it is especially important for customers to know the expected behavior of such software to monitor for the unexpected. A firm understanding of the software bill of materials (SBOM) will clarify the open source and commercial software components of the solution and what might constitute a vulnerability. (However, your organization should not expect vendors to provide source code for review as it is intellectual property.) A solution for Continuous Monitoring should be in place to detect and alert when unusual modifications are made to the operating system or on installed software.



Awareness is the First Step

The pervasiveness of cyberattacks in the past year brings a collective focus on the digital supply chain – those less-tangible processes and technologies that enable a more efficient business. The digital supply chain and the third parties you include in it are every bit as important as your physical supply chain. Your digital supply chain makes your organization vulnerable to coming under siege by cyberattack. Awareness of the vulnerability your vendors introduce is the first step towards mitigating the risk.

Nasser Fattah

A Senior Advisor to Shared Assessments, Nasser has 20+ years as a Cybersecurity, Supply Chain and IT leader. With a focus on customer-first and team building approaches, Fattah is able to align programs to support company strategies, regulatory requirements, and growth initiatives. He drives cybersecurity, supply chain and IT as enablers for enterprise-wide transformation initiatives.  He partners with executives to identify and select strategic external partners to deliver essential IT and cybersecurity services to the business. Nasser worked with global parent company and subsidiaries to establish technology standards to maximize investments and operations efficacy to best support business needs and growth. Nasser has a strong, consistent record working successfully with Business and IT executives, regulators, auditors, and risk partners. Nasser also teaches cybersecurity at several colleges, and is the chair for North America Shared Assessments – an industry best practices for supply chain.

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics