Supply Chain Security Audits: The Cat’s Whiskers of Cyber Protection

• by Anthony Orjally
• Advent IM Blog

Let’s face it: supply chains are a lot like cats. Unpredictable, occasionally troublesome, and yet, if something goes wrong, everyone notices. Imagine your feline friend knocking over a vase (in my case its almost always my mic) during a Teams call – chaos ensues. Now, replace the vase (or mic)  with your company’s data and the cat with a hacker exploiting a supply chain vulnerability, and you have a serious problem on your hands. This is why supply chain security audits are as essential as keeping your cat away from the breakables…and AV equipment.

The Curious Cat and the Supply Chain

If you’ve ever had a cat, you know that they love to explore everything – boxes, cupboards, and, unfortunately, precariously stacked objects. Similarly, cybercriminals are just as curious, poking their noses into supply chain weaknesses that companies might not even know exist. The supply chain, after all, involves many third-party vendors, subcontractors, and software providers. Each one could inadvertently leave the door ajar for a hacker to stroll right in. Once they are in, they may hang around for weeks or even months, seeing where they can access and what they can find. They will spend time covering their tracks too…just like in the litter tray.

Take the example of SolarWinds. In 2020, hackers exploited vulnerabilities in the supply chain of this American IT company, breaching a software update that affected more than 18,000 organisations, including high-profile UK firms. This breach allowed attackers to slink through corporate networks unnoticed, much like a mischievous cat sneaking into the neighbour’s garden. It was one of the largest cyber-espionage campaigns in history, and it all began with a trusted third-party supplier.

The Importance of Supply Chain Security Audits

As any responsible cat owner will tell you, prevention is better than cure. Keeping your prized possessions out of reach (and ensuring the cat hasn’t developed teleportation skills) is key to avoiding chaos. The same logic applies to supply chains. A supply chain security audit is essentially a thorough check-up – an opportunity to identify vulnerabilities and ensure that all third parties in the chain are complying with security standards. It also gives you a chance to do some discovery and find out if any nth degree parties also have access to your information – has anything been subcontracted and you no longer have sight of this access? We all know cats like to spread themselves around and will very frequently get fed in many other places. Make sure no other cats are feasting on your data that you don’t know about!

Without regular audits, you’re leaving the back door open for cybercriminals to exploit. And they’re just as opportunistic as the cat who pounces on an unguarded fish supper. One forgotten patch, an unlisted nth degree sharer or outdated system in your supply chain could lead to widespread disruption.

The Furball of High-Profile Incidents

Over the past five years, there have been plenty of examples of supply chain failures causing security headaches. Here are just a few that have had organisations, much like cat owners trying to coax a particularly uncooperative feline out from under the bed, scrambling to clean up the mess.

1. The Kaseya Incident (2021): In a breach that quickly spiralled into chaos, hackers exploited a vulnerability in Kaseya’s IT management software, unleashing ransomware on hundreds of businesses. This wasn’t just a case of one company being hit; it was a domino effect. Like a cat knocking over a stack of plates, the ripple effect was devastating, as Kaseya’s customers and their clients were affected. The lesson here? One small gap in your supply chain can lead to widespread catastrophe.
2. NotPetya (2017): A malware attack that first affected the Ukrainian software company M.E.Doc quickly spread through international networks, affecting companies like Maersk and FedEx. The cost? Maersk alone reported losses of over £250 million. It was the cyber equivalent of a grumpy cat tearing through your favourite curtains – but instead of fabric, it was millions of pounds in damage. All because of a weak link in the supply chain.
3. Supermicro (2018): Although never fully proven, the allegations that Chinese spies implanted malicious chips in Supermicro motherboards caused a significant stir. Whether or not these tiny ‘spy kittens’ existed, the incident highlighted the need for businesses to scrutinise the integrity of their hardware supply chains, especially when they span across multiple countries.

The Nine Lives of Supply Chain Security

Now, much like cats are said to have nine lives, companies must develop multiple layers of security to protect against supply chain breaches. Regular supply chain security audits are a crucial step in ensuring you don’t lose any of those precious lives to a cyberattack. Here are some steps that companies can take:

1. Vet Your Vendors: Just as you wouldn’t let your cat roam around a neighbour’s house full of dog treats, you need to be selective about your vendors. Ensure they have robust security measures in place and that they’re not inadvertently opening the door to cyber threats. Make sure you know about all data sharing.
2. Monitor Regularly: Cats are sneaky. One moment they’re asleep, and the next they’re climbing the curtains. Similarly, supply chain security should be continuously monitored, with regular audits to spot any changes or new vulnerabilities.
3. Ensure Compliance: Make sure all third parties are compliant with industry standards like ISO 27001 or GDPR, depending on your sector. A breach in one part of the chain can affect everyone else – it’s like having one cat door in the neighbourhood. If it’s unsecured, all the cats are getting in.
4. Incident Response Plans: Despite your best efforts, sometimes the cat will get out of the bag (or in this case, the hacker will). Having a robust incident response plan ensures that you can quickly isolate and mitigate the effects of a breach.

Closing the Cat Flap

In the world of cyber threats, the supply chain is often a weak link – a tempting target for hackers who are always on the prowl, much like a curious cat. Regular supply chain security audits help companies identify and close vulnerabilities before they can be exploited. So, the next time you’re sitting at your desk and hear the unmistakable sound of a crash from the next room, think of your supply chain. Is it as secure as it should be, or is it about to be pounced on?

In the end, keeping a close eye on your supply chain is just like keeping an eye on your cat. It’s about prevention, protection, and ensuring that things don’t spiral out of control when you’re not looking. After all, in both cases, the consequences can be far more disruptive than you ever anticipated.