A Suggested New Year’s Resolution: Be Less Trusting
You can try to protect your loved ones against COVID-19 by maintaining a “bubble.” Unfortunately, bubbling isn’t an option when it comes to protecting your supply chain against another modern scourge: cyberattacks.
As a recent blog noted, there are just too many moving parts and unknowns involved, which is what makes organizations vulnerable to breaches such as last year’s SolarWinds Orion attack.
“Working with numerous third-party vendors is an inevitable part of doing business, but it also creates security blind spots that can become dangerous,” said software company CyberArk in its blog. “To protect themselves, many companies and government agencies are embracing ‘zero trust’ models in which they trust nothing and verify everything. But as vendor ecosystems grow in size and complexity, a hard and fast ‘trust nothing’ strategy down the supply chain can quickly inhibit business operations and slow innovation. A successful security strategy must be both realistic and sustainable.”
CyberArk listed four best practices that could help protect your operations:
- Protect privileged access — “Identifying and managing privileged access is paramount to disrupting the attack chain — regardless of whether the attacker infiltrated the environment via the supply chain or by other means — and maximizing risk mitigation,” CyberArk blogged.
- Embrace a defense-in-depth approach — CyberArk explained this calls for “multiple layers of security, such as endpoint detection and response, next-gen antivirus, strong privileged access management and application and OS patching.”
- Consistently enforce least privilege everywhere — Give users the minimum levels of access needed to perform their job functions.
- Monitor for privileged credential theft — This will allow you to “more easily spot suspicious behavior and patterns indicative of credential theft and better understand what critical assets are being targeted.”
“The supply chain represents a critical attack vector,” CyberArk noted. “However, by leading with an ‘assume breach’ mindset and securing access to sensitive data and systems, organizations can make it significantly more difficult for attackers to accomplish their end goals.”