A need for organizations to strengthen their third-party risk management practices.
The Securities and Exchange Commission (SEC) recently charged software company SolarWinds and its Chief Information Security Officer (CISO) with fraud and internal control failuresOpens a new window. The prospect of a public CISO being indicted will be chilling to other C-suite members, calling into question their accountability and potentially vacating the post where talent is in short supply. As a reminder, the SolarWinds attack was one of the most profound supply chain disruptions in recent memory. State-sponsored attackers injected malicious code into SolarWinds’ Orion software used to channel updates to customers, which compromised thousands of organizations and Federal agencies, including the Department of Justice and Homeland Security.
The SolarWinds attack wasn’t an isolated incident. Supply chain attacks have tripled in 12 months, and threat actors increasingly leverage software vulnerabilities to infiltrate organizations, conduct reconnaissance, propagate malware, or gain unauthorized access to restricted data stores.
How Do Supply Chain Attacks Work?
Supply chain attacks can take many forms. For instance, attackers can use phishing and social engineering to steal login credentials from a vendor or a supplier to gain access. (For example, Twilio.) Another example is where threat actors inject malicious code into firmware or software developed or distributed by a supplier. This malicious software is then used to infiltrate and compromise other organizations. (For example, NotPetya.) Attacks can exploit or attack vulnerabilities in supplier systems or software, which can then be used to compromise other organizations. (For example, MOVEit.)
How Can Organizations Mitigate Supply Chain Attacks?
Let’s explore some practical steps and best practices to help organizations build a more robust cybersecurity posture against supply chain compromise.
1. Build a cybersecurity program based on risk
Building an effective supply chain defense starts with thoroughly understanding what’s at stake. Identify your crown jewels (e.g., customer lists, intellectual property, financial statements, credit card data, personally identifiable information). Evaluate the exposure to third-parties by creating and maintaining a software bill of materials (SBOM). List all potential third-party risks such as theft or tampering, service or system disruptions, ransomware attacks, data exfiltration, and vulnerabilities in software or applications. Now, prioritize them based on their revenue impact and the likelihood of those risks occurring. Finally, assess whether your security controls, policies, and processes are enough to counter those threats.
2. Determine the cybersecurity competency of suppliers
Cyber risks can rise exponentially when third parties are thrown into the mix. Therefore, organizations must evaluate whether existing partners and suppliers meet the required security criteria, standards, and protocols. To achieve this, businesses can demand a self-assessment from the partner or hire an expert to conduct a holistic assessment. A vendor risk questionnaire [e.g. FICO CyberRisk Score, Standardized Information Gathering (SIG) questionnaire, or CAIQ by Cloud Security Alliance] is a handy tool for gathering responses from partners in a standardized manner. Once surveys are completed, security teams can assign risk scores based on suppliers’ threat assessment and competency.
3. Invest in the right systems and tools
As many as 60% of organizations have more than 1000 suppliers. Managing, securing, and monitoring such a large network of third parties can be complicated and labor-intensive. Tools like IT vendor risk management solutions and GRC (governance, risk, and compliance) platforms can make vendor onboarding, management, and risk monitoring more organized and systematic. Additionally, it is recommended that third parties also deploy security controls such as managed detection and response (MDR), data leakage prevention (DLP), intrusion prevention systems (IPS), and multi-factor authentication. They should follow security standards and practices, including regular penetration testing and employee security awareness training.
4. Keep compliance and regulations in check
Regulators, investors, and other stakeholders increasingly demand transparency and compliance in controlling third-party risks. Moreover, suppose a supplier or a third-party fails to secure your data promptly or adequately report a security incident. In that case, it can have direct and dire legal consequences for the parent organization. Evaluate what your supplier collects, stores, manages, and processes. Determine who their key contacts are responsible for cybersecurity and whether they already have processes to meet the stringent requirements of major regulations and frameworks. Compliance doesn’t automatically make an organization secure. However, it is an indicator of whether a supplier takes cybersecurity seriously or not.
5. Have a vendor risk program in place
Vendor risk is always evolving; thus, vendor risk management is always a moving target. Businesses get acquired, suffer losses, and experience cyber-attacks; this can directly and permanently impact their risk posture. Ensuring strict vendor oversight and implementing a monitoring process is equally as important as conducting due diligence when selecting vendors. They must be assessed based on cybersecurity, financial, operational, regulatory, legal, and privacy; their profile must be evaluated for any changes. If organizations do not have a vendor risk management process, they should hire a third-party to help conduct an assessment at regular intervals.
The increasing number of supply chain attacks is a wake-up call for organizations to immediately address third-party risks, improve supply chain defenses, and deploy incident response processes in the overall supplier ecosystem. Following the above best practices can help organizations kickstart their journey to building a more resilient third-party risk management program.
How can your organization enhance its software supply chain defenses? Why is third-party risk management crucial in today’s cybersecurity landscape? Let us know on Facebook, X, and LinkedIn. We’d love to hear from you!