A supply chain cyber attack, also known as a third-party attack, occurs when a threat actor gains access or disrupts an organisation’s data/system by exploiting a vulnerability in their supply chain. Based on Gartner estimates, 60% of organisations are now working with more than 1,000 third parties and this number is likely to grow even more over the next three years.
With more and more service providers supporting companies with their operations in 2021 and beyond, the risks associated with a supply chain attack have never been higher. Cyber attackers have more resources and tools at their disposal than ever before, driving new types of attacks – that coupled with growing public awareness of data protection rights and regulatory pressure creates the perfect storm for CISO’s to weather.
Supply chain cyber attacks are on the rise
According to reports, supply chain attacks increased by 78% in 2018. (infosecurity-magazine.com)
In 2018, a CrowdStrike report highlighted how unprepared organisations worldwide were against hackers seeking to exploit third-party cyber security vulnerabilities. Two-thirds of the 1,300 respondents said they had experienced a software supply chain attack and almost 90% believed that they were at risk via a third party. Yet, amazingly, the same number of respondents admitted they didn’t deem vetting suppliers a critical necessity. Some estimates show that only 18% of IT departments knew if their vendors were, in turn, sharing sensitive data and information with other suppliers. That’s a huge problem – customers and shareholders don’t really care if it was the company’s supplier that lost the data rather than the company itself. The reputational damage will be already done.
So where are the supply chain cyber security risks?
Here are some examples of third-party vendors organisations use in support of their operations:
- Data storage companies
- Payment processors
- Customer relationship management (CRM) systems
- Financial management & billing systems
- Consultants
- Accountants
- Human resources systems such as payroll
Almost every company uses outside software and hardware to support their day to day operational delivery but there is considerable risk attached to this approach which needs to be managed and, as much as possible, mitigated. Each purchased device, each downloaded application needs to be vetted and monitored for potential cyber security risks. How do you ensure your suppliers are taking this action? And taking it regularly?
Not only is a company’s own data at risk through these third-party supply chains, but if the flawed software or hardware component is embedded into a product it may cause more security problems down the line. The Heartbleed bug, for example, (a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security TLS protocol), affected millions of websites and mobile devices as well as software by many major vendors including Oracle, VMware and Cisco.
When we talk about risk, especially in the area of cyber security, we are often focused on data protection. When it comes to risk mitigation, it’s vital now to widen scope for supply chain auditing to include more than just data protection and to consider auditing other risk areas such as:
Regulatory and compliance risks
Reputational risks and potential for brand damage
Financial risks
Other IT Security risks
Operational risks
Defining who is responsible for cyber security
The deeper an organisation is positioned in a supply chain, the more complicated the question of responsibility can become. A company managing its own data can make somewhat clear distinctions with regards to information assurance and responsibility when it comes to data breaches, but it can be hugely complex if you are a vendor providing services to that supply chain partner, or even a third party providing services to a vendor supplying services.
Having a contract in place saying “you must keep our data secure” is no longer good enough. Proper, detailed, constant due diligence needs to be in place.
Taking action to secure the supply chain
There are a number of cyber security frameworks available to help CSOs manage supply chain compliance and risk. Two of the more common ones are from the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO).
Risk management is included in ISO 27001 with the controls for third-party supplier detailed in ISO 27002 and ISO 27701. Like NIST 800-53, these standards can help you create controls and policies for identifying and managing third-party risks in your supply chain.
Both frameworks mentioned here are applicable for many industries, but in some instances, an organisation’s specific needs may require a custom-built framework, which can be derived from your existing practices as well as recommendations from other frameworks.
At present, there has never been a more vital time to have a cyber-resilient supply chain. The Coronavirus pandemic is the ultimate stress test for many supply chains, under huge pressure to keep up with demand whilst trying to continue with ‘business as usual’. Suppliers are more vulnerable than ever to downtime or data loss if critical processes are interrupted for example and many rushed decisions are negating to meet regulatory requirements in their haste.
Streamlining supplier audits is crucial, as is understanding how deeply the supply chain network is traversed. Using partner Terms to enforce cyber security controls can be useful if links payments and contracts to cyber security performance. We advise our clients to look for suppliers with certifications like Cyber Essentials Plus and ISO 27001, and not to be afraid to request proof from suppliers and partners of their information assurance practices. It’s important to make sure the certificates are from a recognised body and not a consultancy marking their own homework and issuing their own certificate.
Another consideration, for those with the resources, is to monitor the deep and dark parts of the web for breached data, credentials and mentions of the supply chain vendors in attack planning scenarios. In this way, businesses can be much better prepared to mitigate an attack if they see it coming by exposing vulnerabilities in the partner’s cyber security.
The higher the risk, the more often third party supplier audits should be carried out because if you have gaps in your cyber security program, you need to find and remediate them before the attackers’ regulators discover them.
Find out more about our Third-Party Risk Management and Auditing services and how we can help you secure your supply chain.