Home Insights The domino effect: Secure your supply chain to thwart cyberattacks
system hacked alert

The domino effect: Secure your supply chain to thwart cyberattacks

MIT faculty address the level of priority that must be given to cybersecurity these days while offering several suggestions for strengthening the supply chain.

Faculty & Staff Thought Leadership Supply Chain Digital Business & IT Cybersecurity

If the last few weeks of cyberattacks (e.g., DarkSide’s attack on Colonial pipeline) have taught us anything, it’s that cybersecurity as related to software decision making is of utmost consequence. Whether you’re the customer or the product developer, cybersecurity must be central to the conversation. 

This is because vulnerabilities often can be found somewhere along the supply chain; when a company or a supplier connected to the system being developed has not shored up its cybersecurity efforts, it leaves everyone down the line susceptible to a cyberattack. And according to Keri Pearlson, Executive Director of MIT’s Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, (IC)3, and MIT Sloan Professor Stuart Madnick, “No one wants to be the next headline about an insecure supply chain vulnerability exploitation.” 

The pair made the observation in the Harvard Business Review article “Is Third-Party Software Leaving You Vulnerable to Cyberattacks?,” co-authored by Keman Huang, an Associate Professor at the Renmin University of China and a Research Affiliate at the MIT Sloan School of Management. In the piece, the research team addresses the level of priority that must be given to cybersecurity these days while offering several suggestions for strengthening the supply chain. 

Avoid the add-on

It’s common for software developers to offer products with very specific selling points, including functionality feature sets and speed-to-market options. However, cybersecurity often is not among the attributes touted and becomes a secondary consideration. This can be to both the developer’s and customer’s detriment.  

“Despite lip service to security, many software development processes do not prioritize security at the conception stage,” write the authors, who studied three large global companies and the cybersecurity efforts of their product development teams. “Instead, security is considered when vulnerabilities are discovered, and that can be costly. A more troubling approach shared with us was that sometimes leaders thought they needed to get a product out fast, even if vulnerable, to remain viable in the market. They decided to release offerings with known security issues, or with temporary solutions and workarounds, to get the product to market. The risk of the vulnerability being exploited is considered low, but the cost to fix it later can be very high.” 

In fact, retrofitting cybersecurity into a product is costly both in time and money. The additional expense comes in the form of actual funds, delays and even the need for complete redesigns. In many cases, there is no simple fix, and the process drags on while issues are addressed and corrected.  

This experience is causing many corporate customers to vet their software purchases more extensively. They are asking questions that need to be asked before making their selections; they also are asking for proof that not only are the software development teams placing a priority on cybersecurity, but also the vendors along the supply chain that is used to create the products.

Secure your supply chain 

So how do you gather the information you need to feel secure in your third-party software purchases? In addition to having development teams fill out security questionnaires or implementing independent security testing, Pearlson, Madnick and Huang recommend taking the following steps: 

  •  Select software products that are designed and built with cybersecurity in mind instead of as an afterthought. It should be promoted as a main feature, and the provider should be able to offer proof that vendors and suppliers also have taken cybersecurity into account on their end of the process. 
  • If your company is developing software, ensure that the product designers understand the importance of cybersecurity and plan to include it in the finished product. Communication is key at the earliest development stages, and the designers need to know what customers expect in terms of security. 
  • As a customer, look for companies that have trained their product designers in basic cybersecurity knowledge. While team members do not need to be experts, they should be up to date on the latest news and understand how to make trade-offs when designing digital products. They also should know how to access more extensive expertise when necessary. As a developer, work tirelessly to create this type of team for the benefit of your customers. 
  • When on the development side, have an open dialogue with all vendors along the supply chain to learn more about the security of their products and offerings. When you show a commitment to security on your end, it will instill confidence and a sense of trust among your ultimate customers. 

“If you think you’re not at risk for this kind of [cyber]attack because your company doesn’t have information or connections hackers could exploit, your vendors have assured you that their systems are secure, your customers have validated that your systems are acceptable, or you haven’t discovered vulnerabilities, you are exactly the target hackers seek when they perpetuate the next attack,” the research team explains. That’s why it’s critical for everyone involved in the software purchase—from the developer to the customer—to cover every base possible and close any security holes along the way. 

----------

To shore up your own cybersecurity efforts, be sure to consider Madnick and Pearlson’s courses, Cybersecurity Leadership for Non-Technical Executives and Cybersecurity for Managers: A Playbook, designed to provide you with a holistic approach and action plan for keeping your company secure.