The global supply chain is an attractive target for cybercriminal activity due to the large network of connections and the perceived notion that they include poorly protected systems. James McQuiggan, security awareness advocate at KnowBe4 discusses why it is critical that businesses examine their third-party security and protect their supply chain.
The success of most businesses is dependent on the relationships with suppliers, vendors and partners. Information, goods and services are often transferred in an interconnected web also known as the supply chain. In some cases, enterprises can have thousands in a supply chain. While this may seem beneficial, it also presents thousands of potential avenues for cybercriminals to exploit and steal the organization’s information. Remember, the supply chain is only as strong as the weakest link and, with cyberattacks escalating in both size and scale, third-party attacks are also mounting.
Have We Witnessed the Cyber World’sPearl Harbor?
A recent high-profiled supply chain attack involved a well-known cybersecurity company that was attacked by a foreign state and impacted over 18,000 customers including enterprises, institutions and even governments. The attack was successful because hackers were able to compromise software that was being used by hundreds of companies and caused a domino effect, in fact, those that were affected are still being revealed today.
Those organizations that haven’t been notified or impacted should count themselves lucky.Â
Learn More: How to Fight Damaging Insider Threats With Multi-Layered Security Approach
Protecting the Supply Chain: Determining What Is Most Important
With regards to protecting the supply chain, first businesses should take the steps to identify key assets, identify partners and what access these partners have to the key assets. Industry frameworks like NIST, OWASP, CISSP Controls etc, all stipulate the understanding of where critical assets are, be it hardware, software, endpoints or applications. However, compiling these lists is a struggle for most.Â
If there is uncertainty about what should be considered a critical asset, organizations can ask the question that if it was to be stolen or destroyed, would it have a significant impact to the business operations of the company? Is it sensitive information that demands specific privacy and security concepts in order to comply with industry, national and international regulations?
Conducting business impact analysis and revenue impact analysis helps to identify and determine the level of impact to the business and its revenue in the event this information is degraded.
While this may be an Infosecurity and IT-based operation, it requires the collaboration of all departments within an enterprise. From the C-suite to legal, finance and marketing, analysis is needed to determine business importance. From this, organizations can categorize the most important elements within a business and, consequently, act to restrict access and secure them from third parties.
Remember, when it comes to the risk presented by the supply chain, be sure not to confuse what is a third-party and what is a vendor, as both definitions slightly differ. A vendor is a person or an entity that provides goods and services to other entities. On the other hand, a third-party is an entity, an individual or a company tasked with providing products and services to consumers on behalf of an organization.
While they are different components, both are essential in the supply chain jigsaw. Therefore, it is critical that organizations know the level of access the supply chain has to the key assets in order to remove and reduce all necessary risks.
Learn More: Rise of the Network Edge: New Approaches Needed To Secure the Edge
The Perimeter Has Changed
Not long ago, the perimeter was simpler to protect using firewalls and isolation techniques. Yet, with digital transformation and cloud services, the perimeter has exploded with more organizations regularly using applications and software that leverage this technology. Naturally, third parties also have this same technology. Cloud, especially, is now commonly utilized when accessing and transferring information to and from an organization. For that reason, different approaches to security and third-party auditing are needed to prevent a supply chain attack.
Ensure Third-Party Vetting
Adhering to industry security standards and best practices is brilliant for building a foundation for security. However, security is only as strong as that of the entire supply chain. To ensure every organization is on the same page regarding security and privacy, create a decision framework and guidelines to see what is expected from vendors and third parties. This can include non-negotiable security requirements, evidence of security practices, and an audit of risk assessments and compliance reports. Having this information upfront can help pre-determine if a vendor or supplier is taking security seriously. Of course, the pandemic has made it significantly difficult to have in-person meetings to discuss security. We can, however, carry out the necessary due diligence by providing a baseline to determine third-party’s state of security. But don’t bypass this stage.Â
Learn More: Want to Stay on Top of Cyber Threats? Try Thinking Like an Attacker
Third-Party Security Is a Moving Machine
Organizations must not be naïve, the global supply chain is an attractive target for cybercriminal activity due to the large network of connections and the perceived notion that they include poorly protected systems. The significant attack on the well-known cybersecurity company should act as a wakeup call for enterprises to examine the third-party security in place.Â
Implement a third-party risk framework that incorporates third-party security risk management. It could be done through vendor risk management, where the organization takes ownership of conducting risk management. Or use managed support services, which involves contracting a third-party service to assist with managing the third-party risk.
The last method is a hybrid approach of both. Depending on the resources and costs available, organizations can assess which option is more beneficial in identifying threats and vulnerabilities from within the third-party ecosystem.
Third-party security is forever an evolving program. As cybersecurity, technology and regulation change, so must the processes and policies to keep the supply chain secure.Â
New threats and risks are continually being discovered, so have we truly witnessed the cyber world’s ‘Pearl Harbor’ or is that still to come? The answer remains to be seen. To prevent such a scenario from happening, you can establish a security strategy that is both flexible and adaptable to new vulnerabilities. It is likely until drastic changes are made; the supply chain will continue to be targeted. However, each individual organization can be the catalyst for proactive change that removes the weak link in the supply-chain security.
Let us know if you liked this article on LinkedInOpens a new window , FacebookOpens a new window , and TwitterOpens a new window . We would love to hear from you!