The Security Risk of Outsourcing Everything
Why would hackers attack 100 organisations individually when they can take down all 100 at once by attacking the software products that they all use?
Every day organisations are moving to cloud hosting & Software-as-a-Service (SaaS) based products. Many of these companies migrate to these systems as they’re easy to manage and can integrate with many other complementary products across an organisation, whilst also receiving updates for the software in real-time.
Across any given industry there are a small set of market leaders who provide the software and the largest organisations in the world will naturally prefer to utilise the top solutions. It’s easy to trust them when they have strong industry presence, and justification for procuring them is smooth for internal budget holders and external shareholders. What we don’t always think about are the macro-implications; now we have a large number of organisations that are heavily reliant on a single product.
Take a look at any accounting software used across major companies. If it’s managed by a cloud-based third-party on behalf of the company, then a single attack on that software provider would not only impact the accounting system of the individual company, but others who use that same product.
Global industries putting all their software eggs in one vendor’s basket is a very attractive proposition for an attacker: a single attack can scale across many different companies. In the case of Ransomware, attackers have asked themselves the following economic question: Why spend time managing and attacking 100 firms individually, receiving only a small amount of capital from each of them, when I can look to the biggest business-to-business software providers in an industry and target those, charging a huge amount to restore their systems so they can continue to deliver services to their clients?
Their answer has been clear: we’ve started to see an increase across the globe of software supply chain attacks, costing businesses billions of dollars in down-time and lost revenue.
But what can organisations do?
Look towards the space agencies.
Redundancy and failover have always been a key concept in space missions, ensuring that everything is built to a high standard, but it’s assumed that what can go wrong, will go wrong.
What does that mean for the rest of us that spend most of our time below the outer atmosphere? First, organisations need to have catalogued all their software products, mapping these to their dependent business functions. We need to know which are mission- critical for us to continue trading, as these create the greatest business risk. These should be prioritised, and backup providers evaluated, and a redundancy plan put in place to ensure any impact is minimal in case of failure.
This needs to be built from the ground up. When organisations run their procurement process for these mission-critical systems, a backup provider should be identified, and a failover deal should be negotiated in case the primary supplier goes down.
Lastly, but often overlooked, back-ups need to be stored in a format usable by a different product, instead of being tied to a single product.
Attackers gravitate towards the greatest reward for their input, and supply chain attacks on software providers are an attractive way to scale the impact of their work. Fortunately, organisations can put sufficient failovers in place to mitigate many of the risks they face when their supply chain becomes the target.