Hackers don’t always come knocking at the front door.
Many organisations are unwittingly leaving a virtual welcome mat with a key beneath it at access points across their supply chain. A lack of visibility in an organisation’s supply chain can leave vulnerable entry points exposed for bad actors and open an organisation up to unnecessary risk.
One of the most prolific attacks in 2024, for example, was on the NHS when cyber criminals targeted its pathology services provider Synnovis, resulting in over 1,000 NHS operations postponed in the weeks that followed. Examples like this are becoming increasingly common. In fact, it’s predicted that nearly half of organisations worldwide will have experienced attacks on their software supply chains by 2025.
Without a unified approach to identity security with visibility across all identities – whether employee, third-party or machine in place – organisations can face disastrous consequences. Protecting the business from cybercriminals should be a top priority for IT and business leaders, especially as the number of threats facing UK organisations grow in scale and severity. It’s for this reason that stringent control over who has access to what is essential – no matter where on the supply chain the identity falls.
“Knock, knock” – Who’s there? A complex web of identities
It’s easy to fathom that businesses are made up of full-time and part-time employees. But with the rise of the gig economy in recent years, non-employees such as freelancers, contractors and temporary workers now play a regular role in everyday business operations. To avoid gaps in cyber security posture, organisations must take action in order to fully recognise the non-employees in their supply chain.
Moreover, it’s not just human identities that companies need to consider. With the rise of AI, companies are dealing with an explosion of machine identities, such as software bots and robotic process automation. In fact, SailPoint research shows that nearly seven in ten (69%) of companies now manage more machine identities than human identities, with 57% admitting that a machine identity has been granted inappropriate access to sensitive data. Without proper oversight on who can access what, when, why and for how long, it makes it nearly impossible to secure the organisation and its wider supply chain.
Overprovisioned access: a hidden threat
As organisations grapple with these increasingly complex identity structures, managing and securing access to applications and data has become more challenging. The explosion of unstructured data, such as spreadsheets, emails, and multimedia files, further complicates visibility and ownership, often resulting in excessive access permissions that create vulnerabilities. These permissions make it easier for cybercriminals to exploit weaknesses.
Our research shows that nearly four in five have experienced security issues due to improper access. The rapid growth of identities and data has led organisations to prioritise ease of internal access over security, resulting in overprovisioned identities. This overprovisioning enables attackers to move laterally through networks undetected, gaining access to a wide range of data, which they can encrypt or steal.
Hackers crashing the party
There are plenty of high-profile attacks that demonstrate how hackers use the supply chain to access their target organisation. One of the most notable attacks on a supply chain was on SolarWinds, where hackers deployed malicious code into its IT monitoring and management software, enabling them to reach other companies within the supply chain. Once hackers were inside, they were able to compromise data, networks and systems of thousands of public and private organisations. This included spying on government agencies, in what became a major breach to national security.
Government departments noticed that sensitive emails were missing from their systems and major private companies such as Microsoft, Intel, and Deloitte were also affected. With internal workings exposed, hackers could also gain access to data and networks of customers and partners of those originally affected, allowing the attack to spiral in impact and affect thousands of organisations.
Visibility is key to guard against future attacks – without it an organisation can’t effectively or reliably identify suspicious activity. In 2023, on average, breaches were identified 204 days (over 6 months) after the event. When you put this into perspective, it becomes unfathomable the amount of damage a cyber intruder could cause. Security teams must deploy a multi-layered arsenal of tools and tactics to cover their bases and should provision identities with only as much access as is absolutely necessary.
AI and ML in the arsenal
Tools empowered with AI and machine learning are essential in today’s digital landscape. Employees, non-employees and machines all need to be vetted in this way – outdated manual processes just won’t cut the mustard when it comes to the vast number of identities that need protecting against fast-evolving cyber threats.
AI and machine learning can provide advanced threat detection when implemented as part of an identity security solution. Tools empowered with these technologies allow organisations to analyse huge amounts of data at speed – identifying patterns synonymous with potential threat activity. By automating the process of access permissions, organisations can ensure that employees as well as non-employees only have access to the resources they require for their role. We’re already seeing the benefits of this approach, with 83% of organisations reporting fewer identity-related security issues due to their security investments in 2023, according to our findings.
The dream team: Humans and technology
Identity security can also enable better collaboration across the business, such as between HR and IT. For example, HR, responsible for recruitment needs and people entering and exiting the organisation, must work carefully with IT to verify people are who they say they are and implement clear processes to ensure communication is consistently maintained. By sharing the details of all users who can access systems – employees as well as freelancers, contractors and other third-party workers – IT can actively control access rights, ensuring none of these identities slip through the cracks.
In addition to actively monitoring and communicating with one another, HR and IT departments should have automated processes in place to regularly monitor and review access privileges. By utilising automation to assess the cybersecurity practices of third parties, HR can ensure they have the most accurate information before giving IT the green light to grant access to organisational systems. By incorporating background checks, security clearances, or certifications as part of the due diligence process, organisations can better fortify themselves.
Today’s enterprises can’t afford to just keep their own house in order – they need to make sure their supply chain is protected as well. This means gaining better visibility and control across all identities that fall within their ecosystem – a challenge that will only grow more complex as the volume, variety and velocity of identities continues to increase. Through tools empowered by AI and machine learning, employees will be equipped with the resources they need to execute a thorough identity security approach and defend against threat actors. No more keys under mats – it’s cyber lock boxes from now on.
About the Author
Steve Bradford is Senior Vice President EMEA at SailPoint. SailPoint equips the modern enterprise to seamlessly manage and secure access to applications and data through the lens of identity – at speed and scale. As a category leader, we continuously reinvent identity security as the foundation of the secure enterprise. SailPoint delivers a unified, intelligent, extensible platform built to defend against today’s dynamic, identity-centric cyber threats while enhancing productivity and efficiency. SailPoint helps many of the world’s most complex, sophisticated enterprises create a secure technology ecosystem that fuels business transformation.
Featured image: Adobe Stock
