Published in Harvard Business Review, this article explores three strategies to secure digital supply chains. Digital supply chains consist of software products that rely on software code from open-source libraries or other software vendors.

Those digital supply chains are vulnerable to cyberattacks. Recent examples are the cyberattacks on Kaseya and SolarWinds – or the attack described in Sygnia’s recent research, which we feature in this Spotlight edition.

Summary:

  • Today, most software products consist of code IT engineers didn’t write for the software company. Rather, they were pre-written by other vendors or imported from open-source libraries.
  • However, these dependencies introduce vulnerabilities because each entity in such software ecosystem places trust in other entities.
  • A recent study found that companies experienced 400% more supply chain attacks between July 2019 and March 2020 than combined in all four preceding years.
  • To understand better how the threats within the digital supply chain are managed, the authors of the article conducted interviews with executives in small and medium-sized businesses.
  • The authors derive three strategies to secure a company’s digital supply chain based on the interview and data.
  1. IT managers should rely more on automated tools to fix simple vulnerabilities.
  2. Businesses should conduct a cost-benefit analysis for vulnerability patching.
  3. Procurers should demand that critical technology vendors implement “hot patching” (that is, patching a vulnerability without having to reboot the software. This is important for industrial control systems that cannot afford downtime).

 

Why does this matter for businesses?

  • Conventional supply chains are easy to picture: trucks arriving at gates loading and unloading goods. Digital supply chains are harder to visualise because software code is intangible.
  • But these digital supply chains also provide high exposure to cyber threats (see, for example, the Sygnia investigation).

 

Read the full article