Software supply chain cyberattacks are an important vulnerability facing corporations — and one CFOs and the finance department need to be aware of as risks to both internal business operations and product development.
A report from the Atlantic Council last year found cyberattacks on software supply chains, which includes all that goes into open-source and proprietary code used to develop and deploy applications, can infiltrate deep into an organisation’s technology stack, undermining development and administrative tools, code signing, and device firmware. And these attacks come from accessing otherwise trusted software — be it compromised updates or third-party systems — in which undetected vulnerabilities allow the spread of malware and other problems in a hyperconnected world. (Experts offer their thoughts on best prevention tips below.)
CFOs must work closely with the IT and information security departments and be “active participants in the software selection process and digital transformation of the company”, said Ruslan Yusufov, managing partner at the Russian tech think tank MINDSMITH. “The issue of supply chain cyber risks should not be underplayed.”
He pointed to a significant 2018 incident in which Ticketmaster UK disclosed that cybercriminals stole data from about 5% of its global customer base via suppliers.
These types of cyberbreaches are on the rise and expensive to suffer through. Research by Symantec showed that supply chain cyberattacks had increased by 78% in 2018. And 66% of respondents from a CrowdStrike survey indicated their organisation had experienced a software supply chain incident in the prior year, with those attacks inflicting an average financial cost of $1.1 million.
Given the extent and scope of these threats, Yusufov said the overall best advice for CFOs is to “constantly develop knowledge in the area of cybersecurity and be aware of supply chain security risks”.
Outsourcing, prebuilt code pose risks
As organisations increasingly outsource IT management and services to cloud computing and managed service providers (MSPs), it magnifies the risk that corporations will face, as was the situation in 2018 when 11 Saudi MSPs were exposed, according to the Atlantic Council report.
A similar kind of concentration is present in software development where firms can buy prebuilt code from third parties for complex or widely encountered tasks, the Atlantic Council researchers found.
The Atlantic Council report found five key vectors for attacks on the software supply chain: State actors, dangerous updates, undermining code signing, open-source compromise, and app store attacks. (Editor’s note: Check out the report for more detailed descriptions and examples of these vectors.)
That’s a lot to track. While the precise details will likely not fall to the CFO, the overall protocols to prevent access to these vulnerabilities might do so.
How to mitigate software supply chain risks
Assessing and addressing risk are the first steps CFOs can take to combat software vulnerabilities.
“CFOs must work closely with their [chief information security officers] in properly vetting the security practices of their most important third parties’ vendors — and most critically, when a customer’s data is being accessed by that third party,” said Todd Graber, CPA, and the CFO at SecurityScorecard, a New York City-based cybersecurity firm that analyses and rates company cybersecurity practices.
As more companies are transitioning their critical services to web-based platforms, Graber said there has been a “substantial increase” in third-party breaches, including disruptions to companies’ supply chains. Current threats, he said, include unauthorised cloud access, ransomware attacks propagated via third-party access, exposure of customer data, and tampering of physical devices including those on the internet of things.
“The partnership between the CFO and CISO (chief information security officer) team is critical,” Graber said.
He suggests identifying all the potential risks and determine what can be addressed in-house through policies, procedures, and software programs and what can be mitigated through cyber insurance.
Lisa Cranston, ACMA, CGMA, the CFO of the UK-based Protection Group International, said weighing software supply chain threats must be a key part of the job.
“Like many CFOs, I have a key stake in company risk, so I’m conscious of how important cybersecurity is as part of the risk management process,” Cranston said.
Just because your company takes cybersecurity risks seriously doesn’t mean suppliers have that same level of concern about security and risk, she said.
But, she said, “Being on top of cybersecurity measures here doesn’t mean any of our suppliers have the same level of assurance or risk appetite.”
Some suppliers will require access to IT infrastructure, which increases risk, she said.
It’s vital, she said, to understand how suppliers themselves are defending against cyberthreats and put in place minimum requirements. Cranston pointed out, for instance, that in the UK, Cyber Essentials and ISO 27001 are minimum requirements for doing business with a number of government and corporate organisations.
In the US, System and Organization Controls (SOC) reports are a standard tool for CFOs to better understand the cybersecurity risks in their organisation’s software supply chain, but Cranston said that is not necessarily the case elsewhere.
Although SOC reports are used in the UK, they do not appear to be as prevalent as they are in the US, she said.
“We typically see them for validating controls in data centres and for organisations such as service providers that are infrastructure-hosting providers,” she said. “We would not want to suggest every organisation requires one as part of a supply chain assessment.”
With that in mind, Cranston offered a list of questions CFOs should ask about software suppliers:
- Do suppliers have appropriate technical measures such as penetration testing?
- Do they have defined policies, procedures, and responsibilities for maintaining security including an information security management system?
- Do they ensure that staff are aware of security threats and can recognise and report them?
- Do they have defined procedures and responsibilities for managing incidents and breaches, and will they inform you in a timely manner if data has been compromised? Are they geared up to deal with security incidents? Can they define incident reporting requirements? How often are incident response plans tested?
- Do they have suitable business continuity plans in place? What happens if the supplier’s service is compromised? Can they define their service-level agreements?
There are additional steps CFOs should take, she said. Those steps include:
Ensuring critical data is regularly backed up and stored securely
This will not necessarily prevent a ransomware infection, she said, but the fact that you can still access your data and continue operating will negate the need to pay the ransom. These attacks are traditionally very successful for cybercriminals because many individuals and organisations do not regularly back up their important data, so when a ransomware attack does strike, they are forced to pay the ransom as their only option to restore their data and keep the organisation running.
If possible, working with suppliers who don’t demand access to the IT server
If a supplier is making demands of your business that you think are unreasonable in the given circumstances, you can certainly seek alternative services, Cranston said. In reality, every supplier will carry some risk, so your organisation will need to assess each supplier on its own merits and make an informed decision about the level of risk you are willing to accept in your organisation.
Developing incident response protocols before a breach
Organisations should be practising their incident response (IR) plans so that everyone in the company is aware of their roles and responsibilities in case of a real cyber breach, Cranston said. Part of this should also involve contacting any relevant regulatory bodies and IR consultancies as part of that practice to establish key contacts and liaison points in advance of a real event. CFOs can also consider seeking out an IR consultancy as part of this preparation process as well.
The exact response will depend on the scale of the incident, she said.
“Anything that could have reputational damage or significant cost would likely involve the CFO, particularly where the deployment of resources or investment is required,” she said.
She offered another chilling piece of advice that assumes the worst.
“It is also very useful,” she said, “for a CFO to know the value of their data and assets before an incident occurs, in order to make an accurate assessment of the maximum the organisation would be willing to pay to remediate the issue or potentially pay a ransom.”
That, of course, is the worst-case scenario. And it is a risk CFOs can help their companies avoid by knowing the red flags before disaster strikes, Cranston said.
“Being aware of the potential threats and preparing a swift and decisive response on how to deal with them can significantly reduce the overall impact of any potential future incident,” she said.
— Howard Altman is a freelance writer based in the US. To comment on this article or to suggest an idea for another article, contact Chris Baysden, an FM magazine associate director, at Chris.Baysden@aicpa-cima.com.