Cyber Security

Assess and mitigate cybersecurity risks lurking in your supply chain

esteria.white
By esteria.white Add a Comment

Business Security

Blindly trusting your partners and suppliers on their security posture is not sustainable: it’s time to take control through effective supplier risk management.

Phil Muncaster

January 25, 2024

,
5 minutes. read

Assess and mitigate supply chain cybersecurity risks

The world is built on supply chains. They are the connective tissue that facilitates global trade and prosperity. But these overlapping and interdependent networks of businesses are increasingly complex and opaque. Most involve the delivery of software and digital services, or at least depend in some way on online interactions. This exposes them to risks of disruption and compromise.

SMEs in particular may not be proactively seeking or having the resources to manage the security of their supply chains. But blindly trust your partners and suppliers on their cybersecurity posture is not viable in the current climate. Indeed, it is (past) time to take supply chain risk management seriously.

What is supply chain risk?

Supply chain cyber risks could take many forms, from Ransomware and from data theft to denial of service (DDoS) and fraud. They may impact traditional vendors such as professional services firms (e.g., lawyers, accountants) or enterprise software providers. Attackers can also target managed service providers (MSPs), because by compromising a single company in this way, they could gain access to a potentially large number of downstream customer companies. Last year’s research found that 90% of MSPs experienced a cyberattack in the previous 18 months.

Here are some of the main types of supply chain cyberattacks and how they occur:

  • Compromised proprietary software: Cybercriminals are getting bolder. In some cases, they have managed to find a way to compromise software developers and insert malware into code that is then passed to downstream clients. This is what happened in the Campaign against Kaseya ransomware. In a more recent case, popular file transfer software MOVEit has been compromised by a zero-day vulnerability and data stolen from hundreds of enterprise users, affecting millions of their customers. Meanwhile, the 3CX communications software compromised made history as the first ever publicly documented incident of one supply chain attack leading to another.
  • Attacks on open source supply chains: Most developers use open source components to speed their software projects to market. But bad actors know this and have started inserting malware into components and making them available in popular repositories. A report claims there was a 633% year-over-year increase in these attacks. Malicious actors are also quick to exploit vulnerabilities in open source code that may take some users time to patch. This is what happened when a critical bug was discovered in a near-ubiquitous tool. known as Log4j.
  • Impersonation of suppliers for fraud purposes: Sophisticated attacks known as business email compromise (BEC) sometimes involve fraudsters posing as suppliers to trick a customer into transferring money to them. The attacker typically hijacks an email account belonging to one party or the other, monitoring email flows until the time comes to intervene and send a fake invoice with altered bank details .
  • Credential theft: Attackers steal credentials suppliers with the aim of hacking the supplier or their customers (whose networks they may have access to). This is what happened during the massive Target breach in 2013, when hackers stole credentials from one of the retailer’s HVAC suppliers.
  • Data theft: Many vendors store sensitive data about their customers, especially companies like law firms that are privy to intimate corporate secrets. They represent an attractive target for threat actors looking for information they can monetize through extortion or other means.

How do you assess and mitigate supplier risks?

Regardless of the specific type of supply chain risk, the end result could be the same: financial and reputational damage and the risk of lawsuits, operational breakdowns, lost sales and unhappy customers. However, it is possible to manage these risks by following certain industry best practices. Here are eight ideas:

  1. Carry out due diligence on any new supplier. This means checking that their security program meets your expectations and that they have basic measures in place for threat protection, detection and response. For software vendors, it is also worth considering whether they have a vulnerability management program in place and what their reputation is for the quality of their products.
  2. Manage open source risks. This may involve using software composition analysis (SCA) tools to gain visibility into software components, as well as continuous scanning for vulnerabilities and malware and rapid fixing of any bugs. Also make sure that developer teams understand the importance of security by design when developing products.
  3. Conduct a risk review of all suppliers. It starts with understanding who your suppliers are and then checking if they have basic security measures in place. This should extend to their own supply chains. Conduct frequent audits and verify accreditation with industry standards and regulations where applicable.
  4. Keep a list of all your approved suppliers and update it regularly based on the results of your audit. Regular auditing and updating of the supplier list will allow organizations to conduct thorough risk assessments, identify potential vulnerabilities and ensure suppliers meet cybersecurity standards.
  5. Establish a formal policy for suppliers. This should outline your requirements for mitigating supplier risks, including the SLAs that must be met. As such, it is a foundational document outlining the expectations, standards and procedures that suppliers must follow in order to ensure the security of the entire supply chain.
  6. Manage supplier access risks. Apply the principle of least privilege between suppliers, if they need access to the company network. This could be deployed as part of a Zero Trust approachwhere all users and devices are untrusted until verified, with continuous authentication and network monitoring adding an additional layer of risk mitigation.
  7. Develop an incident response plan. In the event of a worst-case scenario, make sure you have a well-prepared plan to follow in order to contain the threat before it has a chance to impact the organization. This will include how to liaise with the teams working for your suppliers.
  8. Consider implementing industry standards. ISO 27001 And ISO 28000 There are many useful ways to take some of the steps listed above to minimize vendor risk.

In the United States last year, there were 40% more supply chain attacks than malware-based attacks, according to a report. They have led to violations affecting more than 10 million people. It’s time to take back control through more effective supplier risk management.

Leave a comment
Lost your password?