For instance, a recent attack against software developed by the SolarWinds Corp., shows just how much work needs to be done for companies at all stages of the supply chain to be better prepared for potential intrusion attempts, according to Bloomberg News. The extent of the damage caused by this hack is not yet fully understood, but there is evidence to suggest that it's quite significant and far-reaching.
The reason why is relatively simple: Since so many aspects of the global supply chain are interconnected, even a relatively narrow-focused attack can have a massive impact, the report said. Again, experts have been ringing this alarm bell for some time, yet preparedness seems to be lacking.
Caught in the lurch
The federal Government Accountability Office recently issued a report on the effects of the SolarWinds breach, because it affected a number of government agencies, and it's more than fair to say the findings were not encouraging for the industry, according to Nextgov. Many of the issues that led agencies to be affected are considered "foundational" — and therefore more than a little difficult to sort out.
The GAO found that industry best practices for data security, recommended by the National Institute of Standards and Technology, are broadly not being followed, Nextgov reported. Of 23 civilian agencies the GAO examined, none had implemented all seven NIST recommendations, and 14 of them — more than 60% — had not implemented a single one.
"NIST came out with their guidance back in 2015," Carol Harris, director of GAO's IT and cybersecurity team, told the site. "In fact, they had updated their cybersecurity framework and their risk management framework to include supply chain risk considerations in 2018. So, the guidance was out there."
The private risk
With the above issues in mind, it's quite likely that similar vulnerabilities are lurking for private organizations that have not conducted an audit of their own preparedness, according to the Forbes Technology Council. Therefore, now is the time for companies to look at the software they use, the data they share with their partners, and what they might be able to do to tighten up their unique security concerns.
That will undoubtedly require all significant stakeholders to look at your operations, the kind of software you use, data you share and so on, to determine what vulnerabilities could exist. This is hardly a set-it-and-forget-it effort, and you should be prepared to regularly conduct this kind of audit to make sure you are as prepared as possible for any threat that might arise.