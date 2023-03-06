Over the last three years, amid some of the most disruptive conditions ever experienced, a huge wave of malicious attacks began targeting the software supply chain. At a time when teams were already fighting to maintain business as usual, supply chain software attacks saw an average annual increase of 742%.

One of the reasons why these attacks proved so disruptive is because they can scale so rapidly. By exploiting a vulnerability inside a key piece of software used by millions of companies around the world — like, for example, SolarWinds, a hugely important part of many organizations’ IT infrastructure — attackers can immediately compromise software further down the supply chain that depends on it.

But that doesn’t necessarily account for the immense growth of these kinds of attacks. In reality, the rise of supply chain attacks is down to two things: first, the increasingly distributed nature of software systems, composed of interlocking products and services, means that software supply chains are complex and diffuse; this gives attackers more potential points of entry. Second, the problem is propounded by the fact that increased complexity makes transparency immensely challenging — often the issue is either invisible or unacknowledged.

Given the potential impact of security breaches on reputation and revenue, taking it seriously is critical. But to do so today requires business leaders to go beyond the mindset that views security as something static, a set of hires or IT assets that need to be ticked off a list. Instead, security needs to be seen as something dynamic and requiring constant attention. In this article we’ll outline what this means in practice with the key lessons that should be drawn from the recent spate of disruptive supply chain attacks.