Assess and mitigate cybersecurity risks lurking in your supply chain

Corporate security

Blindly trusting your partners and suppliers with their security posture is not sustainable – it’s time to take control through effective supplier risk management

January 25, 2024
•
,
5 minutes. Light

The world is built on supply chains. They are the connective tissue that facilitates global trade and prosperity. But these networks of overlapping and interconnected companies are increasingly complex and opaque. Most involve the provision of digital software and services, or at least depend in some way on online interactions. This puts them at risk of disruption and compromise.

SMBs in particular may not proactively seek or have the resources to manage security in their supply chains. But blindly trusting your partners and suppliers with their cybersecurity posture is not sustainable in the current climate. Indeed, it is (past) time to take supply chain risk management seriously.

What is supply chain risk?

Supply chain cyber risks could take many forms, from ransomware and data theft to denial of service (DDoS) and fraud. They may impact traditional vendors such as professional services firms (e.g., lawyers, accountants) or enterprise software providers. Attackers could also go after managed service providers (MSPs), because by compromising a single company in this way, they could gain access to a potentially large number of downstream customer businesses. Research last year revealed that 90% of MSPs have experienced a cyber attack in the past 18 months.

Here are some of the main types of supply chain cyber attacks and how they occur:

• Compromised proprietary software: Cybercriminals are getting bolder. In some cases, they have managed to find a way to compromise software developers and insert malware into code that is then delivered to downstream customers. This is what happened in the Kaseya ransomware campaign. In a more recent case, popular file transfer software MOVEit was compromised by a zero-day vulnerability and data stolen from hundreds of business users, affecting millions of customers. Meanwhile, the compromise of 3CX communications software made history as the first publicly documented incident in which one supply chain attack leads to another.
• Attacks on open source supply chains: Most developers use open source components to accelerate the time to market of their software projects. But threat actors know this and have started inserting malware into components and making them available in popular repositories. A report states that there has been a 633% year-on-year increase in such attacks. Threat actors are also quick to exploit vulnerabilities in open source code that some users may be slow to patch. That’s what happened when a critical bug was found in a nearly ubiquitous tool known as Log4j.
• Impersonating suppliers for fraud: Sophisticated attacks known as Business Email Compromise (BEC) sometimes involve scammers posing as vendors to trick a customer into transferring money to them. The attacker usually takes control of an email account belonging to one party or the other, monitoring email flows until the right time to intervene and send a fake invoice with altered bank details.
• Credential theft: Attackers steal vendor logins in an attempt to breach the vendor or its customers (whose networks they may have access to). That’s what happened in the massive 2013 Target breach, when hackers stole the credentials of one of the retailer’s HVAC vendors.
• Data theft: Many vendors store sensitive data about their customers, especially companies like law firms that are privy to intimate business secrets. They represent an attractive target for threat actors seeking information to monetize through extortion or other means.

How do you assess and mitigate supplier risk?

Whatever the specific type of supply chain risk, the end result could be the same: financial and reputational damage, and the risk of lawsuits, operational disruptions, lost sales, and angry customers. However, these risks can be managed by following some industry best practices. Here are eight ideas:

1. Conduct due diligence on any new supplier. This means checking that their security program aligns with your expectations and that they have basic measures in place to protect, detect and respond to threats. For software vendors you should also check whether they have a vulnerability management program and what their reputation is for the quality of their products.
2. Manage open source risks. This could mean using software composition analysis (SCA) tools to gain visibility into software components, along with continuous vulnerability and malware scanning and timely fixing of any bugs. Also ensure that developer teams understand the importance of security by design when developing products.
3. Conduct a risk review of all suppliers. This starts with understanding who your vendors are and then checking whether they have basic security measures in place. This should extend to their respective supply chains. Conduct frequent checks and verify accreditation with industry standards and regulations where appropriate.
4. Keep a list of all your approved suppliers and update it regularly based on your audit results. Regularly checking and updating the supplier list will enable organizations to conduct thorough risk assessments, identifying potential vulnerabilities and ensuring suppliers adhere to cybersecurity standards.
5. Establish a formal supplier policy. This should outline your requirements to mitigate vendor risk, including any SLAs that need to be met. As such, it serves as a foundational document that outlines expectations, standards and procedures that suppliers must adhere to to ensure the security of the entire supply chain.
6. Manage supplier access risks. Apply a principle of least privilege between vendors if they require access to the company network. This could be implemented as part of a Zero Trust approach, where all users and devices are not trusted until verified, with continuous authentication and network monitoring adding an additional layer of risk mitigation.
7. Develop an incident response plan. In the event of a worst-case scenario, ensure you have a well-rehearsed plan to follow to contain the threat before it has a chance to impact your organization. This will include how to liaise with the teams working for your suppliers.
8. Consider implementing industry standards. ISO 27001 and ISO 28000 provide many useful ways to accomplish some of the steps listed above in order to minimize supplier risk.

According to a report, there were 40% more supply chain attacks in the United States last year than malware-based attacks. They resulted in violations that affected over 10 million people. It’s time to take back control through more effective supplier risk management.