Password management vendor LastPass wants organisations to take urgent action to deal with supply chain vulnerabilities. It says that supply chain attacks and ransomware are ongoing threats that continue to pose threats.
Dan DeMichele, Vice President of Product at LastPass, said, “Supply chains are an easy and high rewarding target for hackers. The most recent Lapsu$ attacks are a prime example as supply chain breach fears grow, not to mention the catastrophic attacks on Colonial Pipeline, SolarWinds, and the Microsoft Exchange over the past few years.
“Businesses are in a vulnerable state, and it serves as a strong reminder of why managing cyber supply chain risks is essential to securing organisations and their networks effectively. We must also remember that the risk is not singular and other organisations within your ecosystem are also vulnerable. As we always say; prevention is better than cure.”
What does LastPass want companies to do?
LastPass has a set of five things that companies can do to improve supply chain security. They include:
- Enforcing good security hygiene
- Plan for the worst
- Educating employees on best password techniques
- Installing multifactor authentication to improve security
- Adopting a business password management solution
All these make sense and are generally actions that most organisations are already employing. The one exception to that list is MFA which is still not universally used. One reason is that many organisations, especially SMEs, still lack the skills to incorporate MFA into their security. However, there are third-party solutions that can add this if required. Fortunately, as they move to cloud-based apps, MFA is becoming more common.
Missing from this list is a suggestion that companies should be working toward a passwordless future. Given the recent announcement from LastPass around its work in that area, it is a surprising omission.
There is another view on supply chain security. It is not just about an organisation’s internal security. Much depends on that of its supply chain partners. To improve supply chain security more widely, there is a need for organisations to collaborate on solutions. One way is for larger organisations to help smaller partners improve security. This is not about a tickbox exercise or questionnaires but real practical help.
Enterprise Times: What does this mean?
Supply chain attacks are many-faceted. It could be a partner, customer or supplier chain or a mix of all three. That makes defending against supply chain attack particularly complex. At its simplest level, an organisation needs to harden its own security. As it looks at the wider supply chain, it needs to decide what it can influence and improve and what it can’t.
Many of the supply chain attacks that grab the headlines are those involving outsourced functionality. What should be discussed just as openly is those attacks that come through traditional channels. We know about BEC and phishing attacks. These require better awareness training of staff supported by technical solutions.
We don’t hear much about those attacks where a smaller partner is compromised, and the attackers traverse the connections between companies. Such attacks are hard to spot and not always easy to defend against.
At the same time, as we increasingly make those connections through APIs, they can escalate very quickly. However, even those attacks require authentication at some level. Therefore, it is right for LastPass to call the wider supply chain threat. Securing those authentication mechanisms is not easy. It will be interesting to see if LastPass looks to address some of those risks in the future.