Supply Chain Hits Cybersecurity Hard

• By Greg Yarrington
• Feb 07, 2022

The unpredictable shortage of goods because of pandemic-triggered supply chain problems is broad: plastic cup lids, woodworking tools, paper goods, and lumber, to name a few.

Not to mention computer chips, the lack of which have put many production lines out of whack. Try to buy a new automobile at all, let alone one with some of the features you might want.

“Automotive manufacturers are releasing vehicles with fewer features due to the shortage of chips,” says Nuspire chief security officer J.R. Cunningham. “Cellphone charging pads, infotainment systems, and even heated seats in cars are being pulled away as options in to conserve chips so cars being sold are still drivable with that minimum level of functionality, without the bells and whistles.”

The same shortages are creating potential danger in the cybersecurity world, with stoppages creating opportunities for criminals and shortages making it harder for companies and service firms to shore up online defenses and refresh critical hardware.

Criminals watching
Companies are under surveillance as criminals see disruptions as providing advantages.

“You have a lot of ships that are sitting at sea with unpredictable lead times,” Cunningham says. “It is a ripe opportunity for attackers, especially the Russians, the Iranians, and the Chinese threat actors, who really like to break stuff in the United States and will take advantage of such situations”

In addition, pandemic-induced changes in the nature of how companies conduct business and where people work and study have provided additional opportunities to cybercriminals and state actors.

According to data from the Bureau of Labor Statistics, 17.5 million people, 11.3% of the entire workforce, worked from home in November 2021 completely due to the pandemic—down from the 48.7 million teleworking in May 2020, but still a big number. Other government data has suggested that prior to the pandemic, 13% of wage and salary workers had telework arrangements. There may be some overlap, but upwards of a quarter of the workforce might still be working from home at least part of the time, and that doesn’t account for people who cannot for various reasons work remotely.

"Covid really didn’t change anybody’s security strategy, it just drastically accelerated it—things like remote work and endpoint security, endpoint vulnerability management, and better remote connectivity, these things were already pretty much on everyone’s roadmap,” Cunningham adds.

Companies found themselves rapidly changing how they worked, which meant a sudden need to beef up cybersecurity capabilities to protect the entire enterprise, from remote endpoints to on-premises equipment and networks as well as cloud capabilities.

Supply chain double whammy
Here is where supply chain problems add a second challenge to cybersecurity. Expanded needs means upgrades to both software and hardware. Shortages of chips and other materials have an impact on product availability. Labor shortages anywhere along the supply chain affect arrival times, which can scuttle implementation schedules and plans.

“It really puts us kind of in a bind because we can’t project when things are going to get completed and we can’t move forward with technology refreshes, which exposes our clients and us in terms of using equipment and software that’s more vulnerable to the bad guys,” says Cunningham. “We have to make tradeoffs and any refresh or upgrade may be impacted months, depending on the piece of equipment that needs to be refreshed, so that’s the biggest impact.”

It’s not as though any service providers are in better shape because the issues transcend individual companies. “We talk to all our colleagues and others,” Yarrington says. “Everyone’s trying to figure out a way to manage through it and maneuver it, across the board. You can get lucky in certain spots with certain product lines, but eventually, you'll get delayed by 30 or 60 days or so. It’s universal.”

The situation is far worse for in-house efforts at corporations.

“I can’t tell you how many datacenters I have walked in and seen crusty old servers and firewalls, and network devices that are a decade-and-a-half old,” Cunningham says. “That’s not acceptable in today’s world because the bad guys can sniff that old technology out successfully, so if you're not going to be in the infrastructure business and keep stuff up to date, and you're in a situation now where you woke up and your firewall is end-of-life, you should leverage a third-party provider or the cloud to handle that for you.”

Why a service provider can help
Even though service providers have felt the impact of supply chain problems, they are likely in better shape to manage them, and for their clients, for two major reasons.

One is that they’re hyper aware of security issues—far more so than many corporations, which may be behind in normal maintenance and upgrading. Firms are more active in updating security at critical points, whether network equipment, servers, or endpoints. Companies are more likely to have let things go, falling further behind than the service firms are, and so with more ground to make up.

The second is that the entire firm is focused on providing security. Even during the extended supply chain issue, if they have equipment that needs updating but waiting on shipments, personnel can pay more attention to keep it safe and secure. Such firms are more likely able to keep not just themselves save, but their clients as well.