One often overlooked vulnerability that continues to plague enterprises of all sizes is the supply chain – it doesn’t affect the physical supply chain, but rather the digital supply chain – systems and data. And while there aren’t oil tanker barges and high seas involved, there are still aggressors who would fly a pirate flag.
Also called value-chain or third-party attacks, while nothing new, they have come to the forefront of the industry following SolarWinds’ December 2020 breach disclosure, which to date has affected nearly 18,000 public and private sector customers. Threat actors, believed to be Russia’s Cozy Bear, compromised IT management software from SolarWinds, called Orion, and produced and distributed trojanized updates to the software’s users. Unfortunately, it may take months before we more clearly understand the extent of the damage. What we do know already is that now, organizations of all sizes should not only be aware of their own security postures, but also aware of all entities in their supply chains, including not only vendors but also partners, to mitigate the risk of a cyber-attack.
According to a 2018 Opus and Ponemon Institute survey, 59% of companies worldwide stated they’ve experienced a data breach caused by a vendor or third party. More recently, a 2020 BlueVoyant report revealed that 80% of U.S. organizations experienced a cybersecurity breach that originated from vulnerabilities in their vendor ecosystem.
There is a long list of notable third-party related incidents that have rocked the cyber world these past few years. Look no further than Fortune 50 companies Facebook and Target. In 2019, millions of Facebook users’ credentials, uploaded by app developers, were discovered sitting unprotected in Amazon’s cloud system. Target’s attackers were able to leverage stolen network credentials from its air conditioning and heating systems provider. It is not enough to enhance internal measures and protocols. As the old adage goes, “you are only as strong as your weakest link.” For cyber, this means it is wise to assess your external networks as well.
There’s also a misconception among smaller companies – which sometimes do not allocate adequate budgets to cybersecurity – that cybercriminals are only looking to target larger companies. Conversely, our 2019 Identity Breach Report (see 2022 Identity Breach Report for latest findings) observed a shift by threat actors, targeting more small businesses. The truth is small to mid-sized businesses still hold valuable assets and make for an easy entry point to larger networks, thus making them worthy targets. This is called “island-hopping” and can be difficult to prevent because it is not always easy to identify when nefarious actors have compromised trusted contacts.
Knowing that your supply chain is potentially a target for cyber-attacks, below are five steps your company can take to mitigate this risk.
Vet Supply Chain Partners. Conduct a thorough Digital Risk third-party assessment to identify if they have the proper cyber hygiene, analyze the surface of attack and the maturity of their security practices and posture.
Monitor Confidential Information and Personally Identifiable Information. Find possible leaks or breached data exposed and traded in the underground markets, and investigate the possible sources and if any providers might be involved.
Third-Party Audits. Every field has different regulatory compliance requirements and certifications. Independent organizations can oversee risk assessments that provide objective security scores for vendors.
Create a Partner-Aware Incident Response Plan. Rapid response is essential if you or a supply chain partner suffer a cyber breach. To respond swiftly, you must already have created a comprehensive and partner-aware incident response plan to make sure you are on the same page as every link in your supply chain.
Invest in Digital Risk Protection. Constella Intelligence provides proactive, real-time responses to cyber threats before they impact critical assets – quickly and efficiently disrupting cyber-attacks and data breaches before they occur.
In today’s digital ecosystem, we are all intertwined and rely on one another. Your company’s risk extends beyond your own company. Use the SolarWinds incident as a wake-up call to proactively address issues within your supply chain before it is too late.
By Julio Casal, Founder and CTO, Constella Intelligence