editione1.0.0
Updated October 9, 2023Supply chain attacks are on the rise. Incidents like the 2020 compromise of security solutions provider SolarWinds illustrate the complexity and severity of these attacks. In this incident, attackers were able to compromise a security software platform developed by SolarWinds and use it to distribute malicious software to their customers. Approximately 18K Solarwinds customers globally are believed to have been infected and compromised as a result, including national government organizations as well as Fortune 500 companies.
Remember that, like most people, attackers are lazy and looking for the most effective ways to compromise the most targets. Supply chain attacks can provide an economy of scale for these criminals who are able to invest once in their attack and compromise many companies as a result.
Due diligence helps us to systematically verify supply chain security and gives us confidence that our security will not be compromised as a result of this relationship. While this assessment can never completely remove the risk of a supply chain attack, it helps your organization understand where it has vulnerability and risk outside of its immediate control, and gives you an opportunity to plan for and manage this risk.
Due diligence can be useful after incidents and compromise.
I’m sure we would all agree that identifying and addressing security risks upfront is the preferred option, however, there is no such thing as 100% secure and breaches happen with increasing frequency.
When a breach occurs, due diligence evidence is often reviewed as part of the investigation or post-mortem process. The aim of this review is to identify if anything could have been done differently to identify or prevent this breach from happening. In the case of compliance regimes such as PCI DSS, this check is part of their process for understanding which organization is at fault and liable for any damages that occur.