Back to Spotlight

Published at Harvard Business Review, this article explores three strategies to secure digital supply chains. Digital supply chains consist of software products that themselves rely on software code from open-source libraries or other software vendors.


Those digital supply chains are vulnerable to cyberattack. Recent examples are the cyberattacks on Kaseya and SolarWinds – or the attack described in Sygnia’s recent research, which we feature in this Spotlight edition.


  • Today, most software products consist of code that wasn’t written by IT engineers of the software’s company. Rather, they were pre-written by other vendors, or imported from open-source libraries.
  • But these dependencies introduce vulnerabilities, because each entity in such software ecosystem places trust in other entities.
  • A recent study found that companies experienced 400% more supply chain attacks between July 2019 and March 2020 than in all four preceding years combined.
  • To understand better how the threat within digital supply chain is managed, the authors of the article conducted interviews with executives in small and medium sized businesses.
  • Based on the interview and data, the authors derive three strategies to secure a company’s digital supply chain.
  1. IT managers should rely more on automated tools to fix simple vulnerabilities.
  2. Businesses should conduct cost-benefit analysis for vulnerability patching.
  3. Procurers should demand that critical technology vendors implement “hot patching” (that is, patching a vulnerability without having to reboot the software. This is important for industrial control systems that cannot afford downtime).


Why does this matter for businesses?

  • Conventional supply chains are easy to visually picture: trucks arriving at gates with goods being loaded and unloaded. Digital supply chains are harder to visualise, because software code is intangible.
  • But these digital supply chains also provide high exposure to cyber threats (see, for example, the Sygnia investigation).


View the full article here