Organizations’ increasing reliance on third-party software and services has created an environment with more vulnerabilities and harder-to-detect risks. Attackers know they can increase efficiency and profitability by compromising the supply chain and are focusing their efforts accordingly.
The commoditization of the cloud has only exacerbated this challenge. Companies are rapidly increasing the number of cloud-based services they rely upon, often without fully understanding how they connect to their broader network.
How regulations are piling on supply chain pressure
To help strengthen cyber resilience, the EU has introduced regulations such as DORA and NIS2. Both focus more on securing supply chains and seek to hold businesses accountable for their cybersecurity practices.
DORA specifically addresses IT service providers, taking a very prescriptive approach that gives financial organizations and their suppliers a clear path to compliance. It strongly emphasizes understanding third-party risks as part of wider efforts to safeguard operational continuity.
The regulation aims to improve operational resilience across the financial sector. Financial companies must identify the systems and data that pose the most significant risk to their operations, and work backwards to trace attack paths, extending this to their supply chains.
NIS2 also emphasizes supply chain risk for critical infrastructure. Its risk management requirements include stronger policies around supply chain security, although it is less specific than DORA. Again, operational resilience is the primary goal here, ensuring that critical services can continue to operate even while under attack.
Adopting a risk-based approach to supply chain security
All organizations are at risk from supply chain vulnerabilities, and there is no one-size-fits-all solution for supply chain risk.
Regardless of budgets, every organization must adopt a risk-based approach to securing supply chains. This means focusing efforts on the most critical assets, workloads and networks – anything that will cause significant operational and reputational damage in the event of a breach.
Once these have been identified, security teams can work backwards to discover potential attack routes and the greatest areas of vulnerability. These attack paths can then be traced outside of the company to any third parties. This covers a range of connections, from cloud-based accounting payroll software to contractors or cleaners with system access. Any part of the supply chain with a degree of network access has the potential to be exploited in an attack.
Then, with visibility of all inbound and outbound connections to suppliers, the next step is to govern and restrict access between resources. Implementing a zero trust approach is an important part of this process. The “trust nothing, verify everything” model removes implicit trust from the supply chain, ensuring that threat actors cannot readily breach their targets without further verification.
While the EU hasn’t mandated a zero trust approach, many aspects of DORA and NIS2 compliance naturally align with the strategy. By locking down system access to essential, verified users only, the approach drastically reduces the threat from an extended digital supply chain.
Resilience is more achievable than prevention
While preventing an incident occurring is ideal, it is not always possible. Cases like the infamous SolarWinds supply chain attack, where malware is pushed out through legitimate software that has already been installed, are very hard to stop. However, proactive breach containment measures, like microsegmentation, can mitigate the operational impact of an attack.
Resilience is a more achievable goal than prevention. By understanding where their greatest threats are, organizations can prioritize their defenses.
Dividing the environment into secure zones, enforced with strict verification processes through zero trust, will provide an effective barrier against attacks seeking to exploit trusted third parties to access the network. And attacks that have already entered the system will likewise be prevented from readily achieving lateral movement to access critical assets.
This stops threat actors and malware from moving readily across the network and supports the flexible, pragmatic security management and risk-based approach emphasized by DORA and NIS2.