skip to navigation skip to content
Search

News

 

Protective measures

Three steps can help firms address vulnerabilities that can lead to supply chain cyberattacks, says a Harvard Business Review article from the Centre for Risk Studies at Cambridge Judge Business School.

3D cyber security concept showing padlocks within a hexagon grid.

Companies should take three steps to address vulnerabilities that can lead to supply chain cyberattacks, says a new Harvard Business Review article by researchers at the Centre for Risk Studies at Cambridge Judge Business School.

Most software products rely on prewritten third-party software supply chain components produced by vendors or taken from open source libraries, and if attacked by cyber criminals this could compromise thousands or even millions of firms worldwide, the authors say.

The article entitled “Three strategies to secure your digital supply chain” therefore calls on corporate leaders and IT teams to take these steps:

  1. Rely on automated tools to correct vulnerabilities, which is often as simple as accepting an automated patch.
  2. Conduct cost-benefit analysis for vulnerability patching, because “not all vulnerabilities are created equal”. Easily exploitable vulnerabilities must be quickly fixed, while the less urgent can wait for scheduled updates.
  3. Demand that vendors implement ‘hot patching’ systems, which enables the procuring firm to deploy patches without rebooting their software. This is particularly important for industrial control system and other vital networks.

The authors conclude that these three measures will not protect against all software supply chain risks, yet they can repel the majority of attacks. “Businesses don’t need to feel powerless — they can manage this risk.”

The article is co-authored by Kiran Sridhar, Risk Researcher at the Centre for Risk Studies at Cambridge Judge; Daniel Ralph, Professor of Operations Research at Cambridge Judge and Academic Director of the Centre for Risk Studies; and Jennifer Copic, Senior Risk Researcher at the Centre for Risk Studies.