Many of this year’s high-profile cyber incidents share a common thread: the attackers forced their way into company environments by exploiting security vulnerabilities not in the company’s networks, but in those of their suppliers. By exploiting vulnerabilities in third-party products and software, especially of smaller scaled and less sophisticated suppliers, attackers are able to infiltrate the networks of larger companies, even those that have robust security programs.
The supply chain can be visualized as a vast spiderweb: the interconnectedness that makes it function so well for business also makes suppliers an attractive Patient Zero target for attackers trying to gain access to further networks and information assets. Once attackers have accessed third-party networks, they often deploy a ransomware attack. This type of attack often includes a double extortion model: data is exfiltrated from the victim’s systems before it gets encrypted, creating additional threat that the compromised data will be publicized unless the ransom is paid.
With these types of attacks on the rise, companies worried about their security should understand how they can protect themselves from attacks that may arise through their supply chain.
Is my company at risk?
The answer is likely yes. Today, virtually all companies rely on third-party technical solutions to manage their business effectively. The downside of this approach is that incorporating new third-party technology into business operations creates new vectors for cyberattacks. Companies that rely on supplier software and tech services are particularly vulnerable to supply chain attacks because most of these third-party software products or services require privileged access, and companies often accept third-party software requests without conducting further investigation, introducing additional threat vectors.
The increased awareness around cyberthreats and supply chain attacks is also reflected in the federal government’s response to recent high-profile attacks. Companies should assume that they will at some point be a target, and perhaps even a victim of, a successful attack.
What can my company do?
Review your security policies
Gaining appropriate visibility, understanding, and governance over the company’s vulnerability to supply chain risks is key to prepare for and mitigate supply chain risks. An important first step is to review your own security policies and procedures and to implement robust cybersecurity policies, programs and (role-based) trainings that are regularly reviewed, updated and tested. Security considerations should not be an afterthought as it is vital to take appropriate steps regarding any design, onboarding, and implementation phase.
Conduct supplier due diligence
In some respects, a company’s security is only as good as its suppliers’ security, making supplier due diligence a critical part of any security risk assessment.
Underlying this process is the need to implement and follow a vigilant supplier and vendor selection process, keeping in mind that cyber-criminals specifically exploit supplier software vulnerabilities.
This process should be routinized, including implementing measures to regularly assess all third-party suppliers the company relies on to successfully operate its business. Ideally, where issues are found, they should be remediated prior to engaging the supplier or deploying its technologies. If the supplier has already been engaged or its technologies deployed, any issues should be remediated as they are discovered. Additionally, to limit exposure, companies should not use supplier software solutions or connect to networks when it is not necessary to do so.
Often the seemingly insignificant and smaller sized suppliers present disproportionally high amounts of cyber-risks in a company’s supply chain. When assessing the company’s security maturity and program, supplier security and associated risks must be examined and evaluated. Companies should build out a supplier selection process that asks comprehensive security questions, and requests documents and certificates that provide evidence that the supplier has put in place the appropriate security measures. These can include asking for the supplier’s:
- written security and information policies
- third-party security audit results
- pen testing results
- compliance with industry frameworks (such as NIST 27001) and
- existing security certificates such as a SCO2 Type II.
This can, for example, be achieved by creating supplier questionnaires that cover the appropriate security requirements and that are baked into the supplier selection and procurement process. This ensures that security aspects are integral to the selection process rather than an afterthought.
Consider supply chain attack management
Threat actors increasingly target third-party service providers as a method of entry, especially suppliers that are trusted and connected to the victim’s network. For this reason, companies should routinely perform detailed due diligence and risk assessments to model, understand, and manage security risks holistically throughout the supply chain. From a management perspective, it is important for organizations to identify specific points of failure and introduce redundancies, strengthen controls, or accept the risk that a supplier engagement can produce. Too often, threats come in through known vulnerabilities that were left unpatched. Security testing and patching, including of supplier-identified vulnerabilities, are essential tools to help secure digital infrastructure. Companies should constantly review their security practices and consider solutions to mitigate against risks.
Be prepared for the attack
Companies should not wait for a cyber-attack to happen before planning how best to respond. Incident preparedness, including detailed internal guidance, is critical to a robust risk management strategy. A well-thought-out incident response plan will expedite business continuity objectives, and having appropriate measures in place before an attack will help mitigate reputational risks and potential litigation exposure. These incident response plans should be in writing and should be regularly reviewed and discussed through tabletop exercises to allow the company to learn from the exercise and further refine the response plan.
Companies should assess their relationships with third-party suppliers to ensure they have a proper understanding of the associated risks. In order to strengthen safeguards, frequent updates and patches and up-to-date organizational and technical processes and measures should be implemented in a timely fashion. These measures include patches to known vulnerabilities, multi-factor authentication, zero trust, or third-party management tools, which all help your company reduce residual risk.
Learn more about taking steps to protect your company from attacks on your supply chain by contacting us at PrivacyGroup@dlapiper.com.