Essential strategies for mitigating third-party risk
Supply chain attacks – those in which a hacker infiltrates one component of a supply chain and uses it to compromise the security of any other entities involved – have become a major cyber-threat facing organisations.
Not only because the number of attacks is rising, but also due to the amount of damage these attacks can cause, with any breach having the potential to impact all parties on the chain.
For example, a breach of MOVEit software earlier this year affected the likes of the BBC and British Airways. In September, Greater Manchester Police (GMP) officers’ names were put at risk as the result of a ransomware attack on a small supplier.
And probably the most prominent example is the 2020 SolarWinds attack, when hackers gained access to the networks, systems and data of thousands of SolarWind customers in Enterprises, Government Departments, and ironically, FireEye – a major cyber-security and breach remediation vendor.
Yet, despite the severity of these attacks, it is an area of security that is often overlooked. In the most recent cyber-security breaches survey, it was found that just over one in ten (13%) businesses review the risks posed by their immediate suppliers, and even fewer review the risks of the wider supply chain (8%). This indicates that, while the threat of a supply chain attack continues to grow, it still isn’t being fully acknowledged by companies and their leadership teams.
For the more closely regulated industries, such as telecoms and finance, new mandates are being put in place to govern this. Both the Telecommunications (Security) Act and the EU’s DORA now have stipulations in place requiring organisations to identify, disclose and reduce the risk of working with third party suppliers.
For other industries, where these requirements may not yet be in place, the need to act is still there. Not only do organisations need to protect their own assets, but they have a responsibility to protect others in their chain as well, or risk a breach that prevents them from being able to conduct business with their customers and suppliers.
Understanding the risk
Today’s digital supply chains have become longer and increasingly complex, with more SaaS solutions and cloud services being used than ever before. While these digital pathways have unlocked efficiencies, they also increase vulnerabilities, with every integration introducing a new potential point of attack. To mitigate the risk of a supply chain attack, it is crucial to understand where the threat lies.
One common oversight by companies is underestimating the risks associated with regular software updates, which, although intended to fix known vulnerabilities, could potentially serve as a vessel for malware introduction. The SolarWinds hack stands as a stark testament to this, with what was thought to be a routine software update causing the monumental security breach.
Factor in tools that require API access to pivotal systems like Customer Relationship Management (CRM) or accounting software, and suddenly you find yourself in a situation where any breach could unleash a domino effect of catastrophic data loss and operational disruptions.
This risk is further magnified with every new vendor or service provider introduced to the chain. Regardless of their own robust security protocols, a lax security posture from a third-party supplier can unwittingly create a gateway for cyber-attackers and offer access to multiple companies’ data and systems.
There is also threat of criminals posing as trusted clients and suppliers and sending deceptive emails. These may not always contain malware or links to a malicious website but can instead request that the recipient takes action, such as authorising a payment or sharing access to a system and its data.
These schemes, while simple in their nature, can have damaging consequences for the recipient company, not to mention the potential to cause a great deal of distress for any individual deceived into action.
Strengthening supply chain security
Reducing these multifaceted threats requires a multifocal approach. Supply chains must be scrutinised, and businesses need to acknowledge the inherent and emergent risks. This encompasses a nuanced understanding that even routine, seemingly secure processes carry potential threats.
Fortunately, there are several steps businesses can take to help protect their supply chains:
- Education and awareness: Organisations should provide their staff with ongoing cyber awareness training, helping them to spot and thwart deceptive interactions, be they with trusted entities or otherwise.
- Ongoing security audits: Rigorous and frequent security audits, especially before integrating any third-party, have become essential. Not only to protect a company’s own assets, but also to demonstrate its security measures to others, with organisations that deal with sensitive data progressively demanding accreditation proof from entities conducting PEN tests. PEN tests are a crucial part of testing an organisation’s security infrastructure and should be run, at the very least, annually.
- Continuous monitoring and regular updates: Establishing an unbroken monitoring mechanism for every component of the supply chain, paired with regular updates of security protocols and software, helps in maintaining a secure operational environment.
- Collaboration and threat sharing: Facilitating information sharing about potential threats within the industry fosters collective threat awareness and fortification. When sectors share insights on encountered threats, they collectively enhance their defensive postures.
- Introducing robust access control tools: Employing robust access tools, such as Zero Trust Network Access (ZTNA), strengthens supply chain security by ensuring third-party access to systems and data is meticulously controlled, authenticated, and restricted only to required resources and durations.
- Email domain visibility: Maintaining visibility of your public-facing email domain and those within your supply chain reduces the potential for spoofing and allows quick identification of impersonation attempts.
- Thorough testing of patches: Before deployment in the live environment, patches and software updates should be scrutinised in a controlled setting to ensure they do not introduce new vulnerabilities.
- Accepting and preparing for risks: Understanding and preparing for the inherent risks of digital transformation is critical. A breach in your hosting provider, even if it doesn’t directly target your company, can still lead to a loss of your data – as evidenced in the recent CloudNordic and AzeroCloud hack.
A collective commitment to supply chain security
The complexities of today’s digital supply chains require further attention to be paid in protecting them. While more regulated sectors have seen mandates put in place to govern this, many other industries haven’t, yet that in no way means they should be complacent in addressing supplier risk.
Supply chain security must become increasingly prioritised. By introducing rigorous security audits, continuous monitoring, sector-wide collaboration and the implementation of tools like ZTNA, companies can not only further protect themselves, but also help protect all the businesses they are connected to – which will become increasingly important as other organisations ramp up their own third-party risk assessments.
As supply chains have evolved, so too must our approach to safeguarding them. Failure to do so could result in severe financial and reputational damage that extends far beyond a single point of compromise, affecting a multitude of organisations and consumers alike.