Recent supply chain attacks such as SolarWinds and Mimecast have shown that these types of attacks are definitely on the increase for enterprises. You might think that as a small to medium business (SMB), you have less to worry about compared to an enterprise. But SMBs have just as much – if not more – to worry about with software supply chain attacks.  

Keep in mind that after a software supply cyber attack, it’s the CEO of the third party that is taken to task. Fortunately, with the right leadership, a good CEO can put a system in place that can minimize the risk from software supply chain attacks.   

Before we elaborate on the risks to SMBs, however, let’s take a moment to briefly explain what a software supply chain attack entails.  

What is a Software Supply Chain Cyber Attack? 

A supply chain attack occurs when an attacker succeeds in penetrating an organization’s system through malware installed on the software application of a supplier or third party. Attackers do this by discovering vulnerabilities in source codes, unsecured network protocols, or unsecured third-party servers or update mechanisms. Just one weak link in the supply chain is all that is necessary for an attack. 
The goal of the supply chain malware is to manipulate the open-source code and steal data, access other parts of the organization’s network, or damage additional systems.

Why are SMBs at Increased Risk of Software Supply Chain Attacks? 

With fewer resources than their enterprise counterparts, SMBs rely much more heavily on outsourcing for many aspects of their organization. Managing these third parties can become quite challenging. Half of SMBs report struggling to manage their suppliers. And over a third have no idea how many external suppliers they use!  

The combined reliance on third parties and the inability to manage them make SMBs more susceptible to software supply chain attacks. According to cybersecurity experts, last year alone saw a 430% increase in software supply chain attacks.  

Here are a few more reasons for their increased risk:  

SMB reliance on third parties makes it difficult to trace the data  

SMBs often relinquish the task of managing their suppliers to their partners. But that means they give up control over their supply chain. That also makes it difficult for them to ensure that third-party vendors are working in a manner that provides maximum protection. For example, it’s nearly impossible for SMBs to comply with different industry regulations which stipulate that they must trace their data. 

The entire client database is exposed to a third party  

Since SMBs aren’t able to ascertain whether or not the third party is working with their data securely, it means that their client database is often exposed. Exposed client databases are easily discovered by malicious threat actors and sold – or even distributed freely – on dark web forums, marketplaces, and paste sites.  

SMBs are held responsible for attacks that are the fault of the third-party  

The worst part for SMBs is that even though they are forced to give up control for parts of their supply chain, it is responsible in the event of a software supply chain attack accruing from a third party. These can include fines as well. The European Union’s General Data Protection Regulation (GDPR) requires a business to inform its customers of a data breach. The United States has similar regulations.  

The data lifecycle is often out of an SMB’s reach  

Regulators also require that exposed data records be deleted. But because of the way that data flows through an SMB and its reliance on third parties, the data lifecycle is often out of an SMB’s reach. This makes it difficult to locate the exposed data records, much less delete them.   

How Can SMBs Mitigate Damage from a Software Supply Chain Attack?  

For all businesses, it’s the data that presents the most risk. Just like enterprises, SMBs need to be aware of threat actors that are attempting to gain access to their data. That means staying up to date on the latest methods hackers are using and their latest targets. If your organization doesn’t have the resources for keeping up with the latest best cybersecurity practices, consider finding a cybersecurity organization or solution to do it for you.  

Here are a few suggestions for how you can start protecting your data within your organization:  

• Control who has access to your data. Employ the least privilege and zero trust principles and appoint only specific individuals within the third party who are allowed access to your data. This is critical for protecting key vectors like applications, your network, and mobile device operating systems. 

• Regularly update passwords. Strong passwords are key to mitigating cyber attacks since they are harder for cybercriminals to exploit. In addition, any damage done from an old leaked password can be significantly reduced if passwords are reset on a regular basis.  

• Make sure your network is secure. Limit the number of software applications that are accessible throughout the network. With remote workforces, endpoint protection is critical. Educate your employees on best cybersecurity practices for their phones, desktops, and tablets.  

• Tighten your due diligence, and learn more about the due diligence of your third parties. Start to put auditing and assessment processes in place that include reviewing service level agreements. Choose suppliers with trusted security standards and best practices in place. 

Paving the Road for Cybersecurity Success  

A good cybersecurity plan starts with awareness and education within your organization. With the right vision and leadership, a CEO can build the right atmosphere to help put these processes in place. Although critical steps need to be taken inside your organization, you’ll probably also need to rely on resources outside your organization as well. To make sure you know the risk to your data at all times, your organization will need to also consider putting a thirty-party management system in place. Together these systems can help your SMB create strong cybersecurity practices that rival the strength of an enterprise.