The world is built on supply chains. They are the connective tissue that facilitates global trade and prosperity. But these networks of overlapping and inter-related companies are increasingly complex and opaque. Most involve the supply of software and digital services, or at least are reliant in some way on online interactions. That puts them at risk from disruption and compromise.
SMBs in particular may not proactively be looking, or have the resources, to manage security in their supply chains. But blindly trusting your partners and suppliers on cybersecurity is not sustainable in the current climate. Indeed, it’s (past) time to get serious about managing supply chain risk.
What is supply chain risk?
Supply chain cyber risks could take many forms, from ransomware and data theft to denial of service (DDoS) and fraud. They may impact traditional suppliers such as professional services firms (e.g., lawyers, accountants), or vendors of business software. Attackers may also go after managed service providers (MSPs), because by compromising a single company in this way, they could gain access to a potentially large number of downstream client businesses. Research from last year revealed that 90% of MSPs suffered a cyberattack in the previous 18 months.
Here are some of the main types of supply chain cyberattack and how they happen:
- Compromised proprietary software: Cybercriminals are getting bolder. In some cases, they’ve been able to find a way to compromise software developers, and insert malware into code that is subsequently delivered to downstream customers. This is what happened in the Kaseya ransomware campaign. In a more recent case, popular file transfer software MOVEit was compromised by a zero-day vulnerability and data stolen from hundreds of corporate users, impacting millions of their customers. Meanwhile, the compromise of the 3CX communication software went down in history as the first-ever publicly documented incident of one supply-chain attack leading to another.
- Attacks on open-source supply chains: Most developers use open source components to accelerate time to market for their software projects. But threat actors know this, and have begun inserting malware into components and making them available in popular repositories. One report claims there’s been a 633% year-on-year increase in such attacks. Threat actors are also quick to exploit vulnerabilities in open source code which some users may be slow to patch. This is what happened when a critical bug was found in a near-ubiquitous tool known as Log4j.
- Impersonating suppliers for fraud: Sophisticated attacks known as business email compromise (BEC) sometimes involve fraudsters impersonating suppliers in order to trick a client into wiring them money. The attacker will usually hijack an email account belonging to one party or the other, monitoring email flows until the time is right to step in and send a fake invoice with altered bank details.
- Credential theft: Attackers steal the logins of suppliers in an attempt to breach either the supplier or their clients (whose networks they may have access to). This is what happened in the massive Target breach of 2013 when hackers stole the credentials of one of the retailer’s HVAC suppliers.
- Data theft: Many suppliers store sensitive data on their clients, especially companies like law firms that are privy to intimate corporate secrets. They represent an attractive target for threat actors looking for information they can monetize via extortion or other means.
RELATED READING: Supply-chain attacks: When trust goes wrong, try hope?
How do you assess and mitigate supplier risk?
Whatever the specific supply chain risk type, the end result could be the same: financial and reputational damage and the risk of law suits, operational outages, lost sales and angry customers. Yet it is possible to manage these risks by following some industry best practices. Here are eight ideas:
- Carry out due diligence on any new supplier. That means checking their security program aligns with your expectations, and that they have baseline measures in place for threat protection, detection and response. For software suppliers it should also stretch to whether they have a vulnerability management program in place and what their reputation is regarding the quality of their products.
- Manage open source risks. This might mean using software composition analysis (SCA) tools to gain visibility into software components, alongside continuous scanning for vulnerabilities and malware, and prompt patching of any bugs. Also ensure developer teams understand the importance of security by design when developing products.
- Conduct a risk review of all suppliers. This starts with understanding who your suppliers are and then checking whether they have baseline security measures in place. This should extend to their own supply chains. Audit frequently and check for accreditation with industry standards and regulations where appropriate.
- Keep a list of all your approved suppliers and update this regularly according to the results of your auditing. Regular auditing and updating of the supplier list will enable organizations to conduct thorough risk assessments, identifying potential vulnerabilities and ensuring that suppliers adhere to cybersecurity standards.
- Establish a formal policy for suppliers. This should outline your requirements for mitigating supplier risk, including any SLAs that must be met. As such, it serves as a foundational document outlining expectations, standards, and procedures that suppliers must adhere to in order to ensure the security of the overall supply chain.
- Manage supplier access risks. Enforce a principle of least privilege among suppliers, if they require access to the corporate network. This could be deployed as part of a Zero Trust approach, where all users and devices are untrusted until verified, with continuous authentication and network monitoring adding an extra layer of risk mitigation.
- Develop an incident response plan. In the event of a worst case scenario, ensure you have a well-rehearsed plan to follow in order to contain the threat before it has a chance to impact the organization. This will include how to liaise with teams working for your suppliers.
- Consider implementing industry standards. ISO 27001 and ISO 28000 have lots of useful ways to achieve some of the steps listed above in order to minimize supplier risk.
In the US last year, there were 40% more supply chain attacks than malware-based attacks, according to one report. They resulted in breaches impacting over 10 million individuals. It’s time to take back control through more effective supplier risk management.