An Ounce of Prevention Beats a Pound of Postmortem with Supply Chain Security

Supply chain security is all about protecting your organization from risks and threats that come from external parties and processes you rely on. But trust, like code, is a dependency. And risk? That’s a side effect.

Case in point: this month, a widely used GitHub Action, tj-actions/changed-files, was compromised, proving that when the Git hits the fan, it can blow secrets across thousands of repos (CVE-2025-30066). It was a textbook case of a supply chain attack: a legitimate, trusted tool hijacked and used to compromise downstream users. 

Now, don’t get me wrong, we all love GitHub and a secure CI/CD pipeline. But when attackers injected malicious code into the action, stealing secrets like personal access tokens, npm tokens, and private RSA keys from affected CI/CD pipelines, over 23,000 repositories were exposed to cyber risk.  

This wasn’t a breach caused by a missed patch or weak password - it was a breach of inherited trust. It highlights a pressing truth: supply chain security isn’t just a technical problem. It’s a cultural one. It demands dynamic cyber resilience.

And I know you’re tired of hearing about SolarWinds, Logs4Shell, and Kaseya. But it’s not just your security at stake – it’s everyone you rely on and everyone who relies on you. Even right now, we are watching The Biggest Supply Chain Hack Of 2025: 6M Records Exfiltrated from Oracle Cloud affecting over 140k Tenants 🙀

That’s why dependency monitoring, minimal permissions, and source validation are critical to securing your supply chain.

In today’s software-driven world, trust is embedded in every layer of how we build and ship technology. We trust the tools, the teams, the platforms, the packages. To mitigate risks effectively, we need a clear understanding of them. Let’s explore approaching this with Immersive. 

Third-party risk management

• Business stakeholder lens: Procurement and vendor management teams must understand that security isn't just a checkbox during onboarding. Ongoing third-party risk reviews and SLAs with teeth are essential. Security leaders should train these teams to ask the right questions and recognize red flags.
• Risk
• ISO 28000 – Security Management Systems for Supply Chains
• NIST 800-53: Ep.20 – Supply Chain Risk Management
• Technical stakeholder lens: Security teams must know how to evaluate vendor security postures, monitor for changes, and validate that data flows are compliant and secure. Training should focus on threat modeling integrations and validating trust assumptions in vendor tooling.
• Secure Fundamentals: Security Patching
• Mobile Application Security Fundamentals: Inadequate Supply Chain Security

Software supply chain

• Business stakeholder lens: Non-technical leaders should understand that open source and third-party code aren't free – they come with ongoing maintenance, monitoring, and potential exposure. Funding and prioritization decisions should reflect this risk.
• NCSC Cloud Security: Ep.9 – Supply Chain Security
• Stack Overflow 
• Secure Fundamentals: Least Privileges
• Introducing the Cyber Kill Chain
• Technical stakeholder lens: Developers and AppSec teams need to understand transitive dependencies (a.k.a. shadow dependencies), know how to interpret Software Bill of Materials (SBOMs), and be trained to look beyond their own code. CI/CD workflows must be hardened, with guardrails baked into the process.
• CVE-2024-3094 (xz) – Supply Chain Compromise
• Events & Breaches: Monero Wallet Supply Chain Compromise
• Sunburst Supply Chain Compromise Collection

Hardware and physical supply chain

• Business stakeholder lens: Especially in regulated or critical industries, leaders must ensure that logistics and sourcing teams are trained to recognize risks around counterfeit or tampered hardware.
• Business Continuity 101 
• NIST 800-53: Ep.11 – Physical and Environmental Protection
• IST 800-53: Ep.1 – Access Control
• Technical stakeholder lens: IT and SecOps teams should be trained on verifying hardware provenance, firmware integrity, and secure provisioning practices. This is often an overlooked area in cyber training programs.
• IoT & Embedded Devices: Supply Chain Hardware Tampering

Data handling in the chain

• Business stakeholder lens: Legal and compliance teams must understand how data moves across vendors and jurisdictions. Training should focus on recognizing data sovereignty issues, breach notification responsibilities, and contractual risks.
• Compliance 
• Data Handling 
• Secure Fundamentals: The CIA Triad
• Secure Data Handling
• Technical stakeholder lens: Data engineers, architects, and security teams should be trained on protecting data in transit and at rest, especially when working with third-party platforms or integrations. Zero trust principles also apply.
• OWASP 2021: Ep.8 – Software and Data Integrity Failures
• Modern Encryption

Operational resilience

• Business stakeholder lens: Executives and business continuity teams must recognize that vendor outages or upstream compromises can impact downstream. Tabletop exercises should incorporate supply chain attack scenarios.
• Recommended reading: 
• House of cards: surviving a supply chain attack
• Labs: 
• Cyber for Board Members: Ep.8 – Supply Chains
• Cyber for Executives: Ep.7 – Supply Chain Security
• NIST 800-53: Ep.6 – Contingency Planning
• NIST 800-53: Ep.8 – Incident Response
• Technical stakeholder lens: Incident response and engineering teams should be trained to detect and contain incidents involving third parties. This includes monitoring dependencies, rotating credentials, and updating playbooks for modern attack chains.
• No Labs this time! Exercising becomes critical: 
• Cyber Training Essentials for Supply Chain Resilience
• Supply Chain: Template for Technical Teams 

You may not cause the vulnerability, but you'll own the breach.

You can’t wait until the postmortem to start training your teams to see beyond the perimeter. A resilient cyber culture ensures that your people are ready to respond when trust is compromised.  

Supply chain security is a shared responsibility, but it starts with recognition and increasing cultural buy-in. 

At the end of the day, an ounce of prevention beats a pound of postmortem. 

Share your thoughts

Did you learn anything surprising about the interconnectedness of supply chain risks? What do you think is the biggest hurdle to strong supply chain security? Share a practical tip or strategy that worked for you!

Big thanks to ZacharyAbrams for assisting with content reviews and recommendations in today’s blog!  Want laser-focused recommendations for your unique program needs? Chat with your CSM about Premium Support to work with legends like Zack!  

Get updates in your inbox on posts like this by following the Human Connection Blog!