Secure your supply chain with these 3 strategic steps
Third-party attacks are one of the most prominent trends within the threat landscape, showing no signs of slowing down, as demonstrated by recent high-profile cyber incidents in the retail sector.
Third-party attacks are very attractive to cybercriminals: threat actors drastically increase their chances of success and return on investment by exploiting their victims’ supplier networks or open-source technology that numerous organizations rely on.
A supply chain attack is one attack with multiple victims, with exponentially growing costs for the those within the supply chain as well as significant financial, operational and reputational risk for their customers.
In a nutshell, in the era of digitization, IT automation and outsourcing, third-party risk is impossible to eliminate.
Katherine Kearns, Head of Proactive Cyber Services, EMEA, at S-RM, and Peter Sweetbaum, CEO of Ethixbase360.
Global, multi-tiered and more complex supply chains
With supply chains becoming global, multi-tiered and more complex than they have ever been, third-party risks are increasingly hard to understand.
Supply chain attacks can be extremely sophisticated, hard to detect and hard to prevent. Sometimes the most innocuous utilities can be used to initiate a wide-scale attack. Vulnerable software components that modern IT infrastructures run on are difficult to identify and secure.
So, what can organizations do to improve their defenses against third-party risk? We have outlined three areas organizations can take to build meaningful resilience against third-party cyber risk:
1. Identify and mitigate potential vulnerabilities across the supply chain
Understanding third-party risk is a significant step towards its reduction. This involves several practical steps, such as:
i) Define responsibility for supply chain cyber risk management ownership. This role often falls between two stools – the internal security teams who will focus primarily on protecting the customer, while the compliance and third-party risk management programs who own responsibility for third party risk and conduct, but don’t feel confident addressing cyber risks given their technical bias.
ii) Identify, inventory and categorize third parties, to determine the most critical supplier relationships. From a cyber security perspective, it is important to identify suppliers who have access to your data, access into your environment, those who manage components of your IT management, those who provide critical software, and – last but not least – those suppliers who have an operational impact on your business.
This is a challenging task, especially for large organizations with complex supply chains, and often requires security teams to work together with procurement, finance and other business teams to identify the entire universe of supplier relationships, then filter out those out of scope from a cyber security perspective.
Assess risk exposure by understanding the security controls suppliers deploy within their estate or the security practices they follow during the software development process, and highlight potential gaps. It is important to follow this up with agreement on the remediation actions acceptable to both sides, and to work towards their satisfactory closure. The reality is that suppliers are not always able to implement the security controls their clients require.
Sometimes this leads to client organizations implementing additional resilience measures in-house instead – often dependent on the strength of the relationship and the nature of the security gaps.
Move away from point-in-time assessments to continuous monitoring, utilizing automation and open-source intelligence to enrich the control assessment process. In practice, this may involve identifying suppliers’ attack surfaces and vulnerable externally-facing assets, monitoring for changes of ownership, identifying indicators of data leaks and incidents affecting critical third parties, and monitoring for new subcontractor relationships.
2. Prepare for supply chain compromise scenarios
Regrettably, even mature organizations with developed third-party risk management programs get compromised.
Supply chain attacks have led to some of the most striking headlines about cyber hacks in recent years and are increasingly becoming the method of choice for criminals who want to hit as many victims as possible, as well as for sophisticated actors who want to remain undetected while they access sensitive data.
Preparedness and resilience are quickly becoming essential tools in the kit bag of organizations relying on critical third parties.
In practice, the measures that organizations can introduce to prepare for third-party compromise include:
i) Including suppliers in your business continuity plans. For important business processes that rely on critical suppliers or third-party technology, understand the business impact, data recovery time and point objectives, workarounds, and recovery options available to continue operating during a disruption.
ii) Exercising cyber-attack scenarios with critical third parties in order to develop muscle memory and effective ways of working during a cyber attack that may affect both the third party and the client. Ensure both sides have access to the right points of contact – and their deputies – to report an incident and work together on recovery in a high-pressure situation.
iii) Introducing redundancies across the supply chain to eliminate single points of failure. This is a difficult task, especially in relation to legacy suppliers providing unique services or products. However, understanding your options and available substitutes will reduce dependency on suppliers and provide access to workarounds during disruptive events such as a supply chain compromise.
3. Secure your own estate (monitor third-party access, contractual obligations)
Protecting your own estate is as important as reducing exposure to third-party risk. Strengthening your internal defenses to mitigate damage if a third party is compromised involves a number of important good practice measures, including but not limited to:
i) Enhanced security monitoring of third-party user activity on your network,
ii) Regular review of access permissions granted to third-party users across your network, including timely termination of leavers,
iii) Continuous identification and monitoring of your own external attack surface, including new internet-facing assets and vulnerable remote access methods,
iv) Employee security training and social engineering awareness, including implementation of additional security verification procedures to prevent impersonation of employees and third parties.
Security vetting of third-party users with access to your environment or data
As third-party threats evolve and become more prominent, organizations must have a clear view of who they’re connected to and the risks those connections pose. An end-to-end approach to cyber due diligence, encompassing assessment, monitoring, and response capabilities to threats across their supply chains before damage is done.
Third-party risk will remain a challenge for many organizations for years to come, especially as more threat actor groups begin to explore supply chain compromise as an attractive tactic, offering high rewards with relatively low resistance.
Regulators across all sectors are beginning to pay greater attention to supply chain security. Frameworks such as DORA, NIS2 and the Cyber Resilience Act reflect the growing concerns that supply chain security must be a key component of digital strategy. Those who lead on this issue will be best placed to navigate supply chain compromise.
We list the best identity management software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro