Simple Steps to Securing Your Cyber Supply Chain

By Jennifer Schultz | Published February 02, 2022

The last two years in cybersecurity have been unprecedented. In 2020, there was the en masse transition to remote work as physical offices closed, and dining room tables and spare bedrooms became offices and classrooms. IT professionals were tasked with ensuring operations continued with minimal disruption. In 2021, little relief was found, as ransomware incidents continued to make daily headlines, increasing in both frequency and severity, and critical vulnerabilities in widely used software and operating systems being discovered. On the heels of ransomware is the cyber supply chain attack. As organizations invest in protecting their networks, bad actors are gaining access to an organization’s network through a trusted partner.


What is a cyber supply chain attack?

A cyber supply chain is an organization’s digital ecosystem — essentially, it’s all of the interconnected pieces of software and technology an organization has internally and externally that drives their operations and produces their products. Each of these interconnected pieces has the potential to be a gateway for malware. What makes cyber supply chain attacks different from other malware attacks is that they gain access through trusted access points and their activity appears normal. Recent examples of supply chain attacks are SolarWindsKaseya and the ongoing Log4jshell.


What are underwriters looking for?

Digital supply chain attacks are difficult to prevent entirely. However, as underwriters, we consider how organizations invest in the following cybersecurity areas:


1) Patching Discipline
What is the maximum timeframe from when a software patch is released to when it is applied to the organization’s system? Patching would apply to all software and not just the Windows Patch Tuesday cycle.

2) Vendor Management
Who is connected to your organization’s network? What data and level of access does each vendor have? Why do they have the connection, and is it still necessary? How does their security posture compare to the applicant?

3) Authentication
Does the organization use multi-factor authentication, and to what extent? Authentication provides another layer of protection should a bad actor gain access to credentials.
4) Segmentation
Segmentation is all about reducing the attack surface as much as possible. Start by operating on a principle of least privilege. An organization that allows administrative access as a default poses a higher risk than one that grants access only so far as the role or project requires.  

5) Detection and Response
Because supply chain attacks are challenging to prevent, it’s important to focus on enabling quick detection and response.   

  • Endpoint Detection and Response (EDR) — Endpoint Detection and Response software monitors and responds to threats as they occur. Anti-virus software is based on known threats, whereas EDR has the ability to recognize abnormal behaviour.
  • Penetration tests and vulnerability scans — How frequently are tests and scans conducted? Vulnerability scans look for known vulnerabilities, while penetration tests look to actively exploit weaknesses in the network.
  • Contingency plans — Having thoroughly developed and regularly tested incident response plans, disaster recovery plans and continuity plans can help minimize the impact of an attack, coordinate the responsibilities of an organization and lessen the downtime. The best plans are regularly updated to reflect the current threat environment. Organizations should consider revisiting their plans to include supply chain attacks.


There are no signs of cyber supply chain attacks slowing down. Along with ransomware, supply chain attacks are expected to increase fourfold. Exercising discipline and focusing on the above cybersecurity areas can help organizations manage risk within their cyber supply chain. The ownership of securing digital ecosystems to reduce the risk of potential events belongs to each individual and layer within the organization.



A blog created for Canada. Reference: Eric Edwards

3 Key Steps to Protecting Against Cyber Supply Chain Attacks. [Blog Post]

In Canada, products and/or services described are provided by Continental Casualty Company, a CNA property/casualty insurance company. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.

Jennifer Schultz
Senior Underwriter, Cyber and Professional Liability – Specialty

Jennifer began her insurance career in 1995 working for an independent adjusting firm. Working with personal and commercial lines provided valuable experience when she transitioned to broking in 2004.  Working for an international brokerage firm, she handled diverse and complex risks in casualty, management liability and professional liability lines of business. Joining CNA in 2018, Jennifer is a Senior Underwriter for Professional Liability and Cyber with a focus on Western Canada.