Supply chain attacks could bring your business to its knees, says Jonathan Wood, CEO of cyber security and vendor risk management firm C2 Cyber, pictured.
Cyber security attacks are rising as hackers increasingly exploit the weakest links in your supply chain. In fact 44pc of organisations reported a third party breach in the past 12 months and 74pc of those said the incident came about because they gave up too much privileged access. A data breach through a third-party supplier happens because they require access to sensitive data such as financial, operations and HR to integrate with internal systems. But when a supplier is compromised, this shared pool of data is breached.
However, the increasing reliance on third-party suppliers combined with the exponential rise in digitisation across the supply chain means it has become the route of choice for more and more hackers; 16pc of all malicious attacks are now due to vulnerabilities in third party software.
The impact of attacks
There’s no doubt the impact of a supply chain attack is significant. All it takes is one of your suppliers to click on a phishing email or failing to have two factor authentication (2FA) in place, and your organisation could be breached. From critical damage to your IT systems, the resulting loss of revenue to the negative impact on your brand reputation and customer loyalty. A single data breach can knock your business out for days or even weeks, disrupting your operations and bringing it to a standstill.
Take the Danish integrated shipping company, Maersk who back in 2017 lost between US$200M to US$300M in revenue and much more in recovery costs. This happened after a supplier clicked on a phishing email which infected Maersk’s entire network including almost 50,000 endpoints and thousands of applications and servers across 600 sites in 130 countries.
Earlier this year, IT supplier SolarWinds was attacked when hackers entered a backdoor in the software. Up to 18,000 customers including a huge number of US government agencies and departments were affected, such as The Energy Department (DOE) and National Nuclear Security Administration (NNSA), which maintains the US nuclear weapons stockpile. After the attack, private equity owners faced scrutiny for sacrificing cybersecurity to boost short-term profits. The attack also prompted many organisations to tighten up the security across their supply chain; 47pc said they would now require suppliers to follow their internal security standards and 39% said they would implement increased network segmentation by isolating vendor software and appliances to a higher risk zone.
Then last month, Volkswagen and Audi were hit by a data breach that exposed the contact information and personal details of more than 3 million customers and shoppers in the US and Canada. The data was stolen from an outside vendor after it was left in an unsecured file.
Could any of these attacks have been prevented? Yes, all of them. It’s not a small or simple task, but starting with the highest risk vendors and their areas of vulnerabilities, you can address these issues, close out the weak links and keep the hackers out.
As organisations have hundreds if not thousands of suppliers who pose varying degrees of risk, you need to identify the risk level of each supplier. This is determined by the level of data you share with them. To prioritise your supplier segments by risk, adopt a tiered approach to assessment and monitoring using open source intelligence (OSINT). This is the analysis of publicly available information about your suppliers, from their website and email address to their social media accounts. Focus your efforts on analysing and monitoring the suppliers that pose the most risk to your organisation.
Taking the high risk segment, evaluate each supplier’s policies and data security certifications to ensure they’re fit for purpose. Provide them with an online questionnaire to fill in which will enable you to collate relevant security information. Analyse the data to assess the maturity of their security controls, identifying areas of weakness and the potential risk impact. Then assign each supplier with a risk score and outline the key risk areas that require action, providing recommendations on how to address them. These actions will be critical to safeguard your organisation from attacks.
You can then ask the supplier to perform some remediation actions to improve their security. These can be as basic as activating two factor authentication across their accounts, or ensuring segregation of duties for Admins. As the cost is usually on them to make any required security updates, it’s advisable to run these checks before you start working with them.
Once the supplier has made any required security improvements, you need to ensure ongoing monitoring via a vendor risk management (VRM) dashboard which includes both OSINT monitoring and immediate visibility of risk criticality, allowing you to identify changes and trends. Depending on your risk appetite, you can then reassess your suppliers as required.
Managing the risk
It’s clear that the reliance on third-party suppliers has created new demands on cyber security defences. Organisations need to get ahead of any attacks by identifying high risk suppliers, analysing their security maturity and then taking the required action to reduce risk. Ensuring the integrity, availability and confidentiality of your data and systems across your entire supplier network is now critical. Otherwise your organisation will be at high risk of attack, which could quite frankly bring your business to its knees. In the long term, knowing where your data is, and why, will make you more cost efficient, leaner and more agile in your supply chain. Often these reductions in risk are measurable, meaning you can show your investors, insurers and shareholders that you have made VRM pay for itself.
