by Bharat Mistry
We all know that the success or otherwise of most modern organisations depends to a large degree on their supply chains. From professional services partners to software providers and transportation contractors, an average enterprise could maintain hundreds of these partnerships. But these all threaten to introduce extra risk to the business, especially in the cyber domain.
Trend Micro’s newly released 2020 predictions report
highlights some of the key areas where organisations may be exposed next year:
from cloud and managed service providers (MSPs), new DevOps dependencies and
even supply chain risks associated with their remote workers.
A new spin on an old risk
Supply chain risk is not a new phenomenon per se. The infamous NotPetya
ransomware attacks of 2017 were introduced via the software supply chain, for
example, while Operation
Cloud Hopper was a major attack campaign targeting global organisations via
their MSPs.
However, the scale of the threat coming down the line requires
urgent attention. It stems to a large degree from the way organisations are
changing the way they work. Digital transformation is viewed by many as an
essential driver of business growth, enabling firms to respond with agility to
changing market demands. In practice, this means cloud and DevOps increasingly
taking centre stage in the IT departments of the coming decade.
More agility, more risk?
Unfortunately, this will introduce new cyber risk. First, organisations’
increasing reliance on third-party cloud providers will encourage attackers to
go after data stored in these accounts, via code injection attacks exploiting
deserialisation bugs, cross-site scripting and SQL injection. They’ll also
capitalise on mistakes made when misconfiguration of these accounts leaks data
to the public-facing internet.
Next, they’ll look to exploit the reliance of DevOps teams
on third-party code in container components and libraries to compromise
microservices and serverless environments. As these architectures become
increasingly commonplace, so will attacks.
The risk posed by MSPs will also escalate, enabling a much
higher ROI for attackers because they can access multiple customers via a
single provider. Such threats will imperil corporate and customer data, and
even pose a risk to smart factory and other environments.
Finally, supply chain risk may come from an unlikely source
in 2020 and beyond. As remote and home working becomes the norm for many
employees, hackers may come to view these as a handy stepping-stone into
corporate networks. Whether they’re logging-on via unsecured public Wi-Fi
hotspots or at home, where smart home flaws could provide an unlocked door to
sneak through, these employees need to be considered as part of holistic
enterprise risk management strategies.
What to do
It will be tough for CISOs to keep up with the rapid pace of technological
change as we head through the next decade. But it’s vital that teams are
equipped with the right tools and strategies to manage these third-party risks
and other threats to the bottom line and corporate reputation. Here’s a
snapshot of advice offered in the report:
- Improve due diligence of cloud
providers and MSPs
- Conduct regular vulnerability and risk
assessments on third parties
- Invest in security tools to scan for vulnerabilities
and malware in third-party components
- Consider Cloud Security Posture
Management (CSPM) tools to help minimise the risk of misconfigurations
- Revisit security policies regarding
home and remote workers
To find out more on our predictions for 2020 and advice on how best to manage risk in your business, check out the report here.