The pandemic saw a marked rise in supply chain cyberattacks that wreaked havoc on many companies’ operations. Andrew Woodhouse, CIO of UK-based RealVNC, spoke with StrategicCIO360 about how information chiefs can best minimize the fallout from such attacks, the importance of white box audits and why transparency is the best policy.
What can CIOs do to mitigate potential exposure to supply chain cyberattacks?
CIOs must ensure the software and tools they use are as secure as possible. The reality is that modern software is complicated and is made up of a number of components, including open-source libraries. Because software has such a high complexity level, it’s important to be aware of the potential vulnerabilities so you’re not unknowingly compromising your software.
For critical software—particularly software on the internet—vendors should be able to back up their claims of security and, ideally, be able to provide a software bill of materials, which would highlight if any known vulnerable libraries or dependencies are in use. Modern SCA tooling can provide summary reports detailing this and ideally your vendor should be transparent about this. Vendors able to show ISO27001 certification, an international standard on how to manage information security, also prove that as a business they are managing—and mitigating—risk.
If customers don’t know how secure a product is, they could end up blindsided by security threats. How can vendors prove the security of the products they’re providing?
Reaching out to respected and trusted third-party security specialists to have the source code audited—often referred to as a “white box” audit—will help improve your product and give customers confidence in deploying your software.
Commissioning these audits not only helps the vendor identify what areas need improvement internally, but also provides third-party credibility so customers don’t need to solely trust the vendor’s security claims. It shows that the company is transparent and is always working to improve its security posture. Since software is continually evolving, these audits should be performed regularly.
Everyone needs to be in the mindset that they’re responsible for security. What can a CIO do to help spread this awareness?
The number one way to prevent security issues in an organization is to educate your staff, perform regular training to keep them informed of security threats, perform phishing and malware simulations, and conduct additional training as required for those who need it. A comprehensive set of InfoSec policies is super important—InfoSec standards like ISO27001 provide a great framework for managing InfoSec risk.
It’s also important to realize that your third-party vendors—regardless of the services they are providing—also need to be as secure as you are as an organization, and so it’s important to assess their security posture regularly.
Organizations are using third-party software more often now, which can pose a real risk. How can CIOs mitigate the risks of allowing their employees to use these types of software?
Ideally, user endpoints would be locked down to prevent users from installing and using potentially unsafe software that hasn’t been approved by the IT team. However, in today’s world this is difficult, particularly with BYOD and remote working, where the device or the network isn’t managed by the organization.
As such, in addition to technical measures such as not giving users admin access on their machine and performing audits of installed software, staff education is really very important so that they are cognizant of the risks—and know the process for requesting software. Again, InfoSec policy frameworks like ISO27001 can also help here.