Securing the Supply Chain
It can be hard enough to properly secure an organization's IT infrastructure. Securing everything from servers, cloud, endpoints, and networks consume an awful lot of resources.
Even when it’s done right, supply chain partners can still undermine your efforts. Properly managing the cybersecurity risks in a supply chain is an important part of maintaining a strong cybersecurity posture.
The global nature of modern supply chains is what makes them vulnerable to attacks. Modern supply chains typically have multiple organizations spread across a number of different regions, all working toward the production of a product or the delivery of a service. It is this complexity that not only makes them difficult to manage but also difficult to secure.
What Is a Supply Chain Attack?
In their 2019 Internet Security Threat Report, Symantec describes supply chain attacks as those that “exploit third-party services and software to compromise a final target.”
To make supply chain partnerships more effective, access to data and systems is shared. Supply chain attacks occur when a malicious actor manages to infiltrate IT infrastructure by coming in through that third-party provider or partner.
Supply chain cybersecurity risks have never been higher as malicious actors and cybercriminals are increasingly attacking supply chain partners as a way of breaching organizations. They see partners as a weaker spot to attack, and more often than not, they are right.
Supply Chain Attacks On the Rise
According to recent research by the Ponemon Institute, 56% of organizations who suffered a breach found that it was caused by one of their supply chain partners. The driver behind this is an increase in data sharing between supply chain partners, Ponemon found that the average number of third parties with access to systems or data has risen to 471 in large organizations.
To compound matters, only 35% of organizations maintain an up-to-date list of all the supply chain partners than they were sharing systems access or data with.
Making matters even worse, only 18% of the organizations Ponemon surveyed know if their partners are sharing their data with their suppliers. That’s a huge problem because customers and regulators do not care who leaked their data into the wild. They hold the company they shared information with responsible, not supply chain partners.
Many organizations are aware of this risk and are paying more attention. According to Ponemon’s Cyber Risk Report, unauthorized sharing of operational and commercial data by supply chain partners is one of the primary concerns among cybersecurity professionals. Forty-one percent stated that they have seen supply chain partner-related incidents in the previous two-year period.
Over the last few years, supply chain attacks have hit most major software platforms. It has even happened at Apple, which takes cybersecurity very seriously and devotes an enormous amount of resources to it.
When the Mac and iOS operating system platforms were attacked with an infected version of their Xcode development platform, their developers were provided with a malicious version of the Apple IDE. That means that the attackers could inject malicious code into any app built with it. More than four thousand apps became infected with malicious code. Even when the threat was disclosed by Apple, hundreds of organizations were found still using the infected software up to several months later.
It’s not just technology organizations and software developers who are at risk from supply chain attacks, either. When Domino's Pizza suffered a security breach, it was because one of their suppliers had inadvertently leaked their customer’s names, physical addresses, and email addresses.
Another good example is a much smaller company with less than 50 employees. Deep Root Analytics was hired by the Republican National Party and accidentally put the personal data of two hundred million voters on a publicly accessible server, indicating big problems in their security posture.
Another example of a much larger company being breached via a small supplier is Verizon. When they suffered a data breach of more than six million customer records, it was determined the cause was one of their customer service analytics partners, Nice Systems. Like Deep Root, they had put the data, which included personal data and credentials, on a publicly accessible server.
How Can You Mitigate Supply Chain Risks?
A good first step would be to instill proper oversight of supply chain partners and their data sharing policies. According to Ponemon, taking this one step reduces the chance of a breach through a third-party supplier by up to 20 percent. If you go a step further and begin to evaluate the cybersecurity policies of all of your suppliers, the chance of a third-party breach drops even further. Once you can begin to understand who your supply chain partners are and which of them have access to your systems and data, you can begin to properly assess the risks involved and your partner’s level of security.
One can even go as far as requiring that partners show a commitment to data security and systems. Some companies have them sign agreements allowing them to audit their security or purchase cyber insurance policies to further protect them.
Of course, not all businesses have the resources to carry out this level of due diligence on their partners. If this is the case with your organization, you can simply request your supply chain partners produce evidence of a third-party cybersecurity audit on their business.
It is important that organizations with supply chain risk exposure review how their partners access their systems and data. This way, they ensure that only authorized individuals can access those systems and work with that data for approved commercial purposes. In an age of increasing supply chain attacks, organizations must understand where the risks in their partner ecosystem lie and work with their supply chain partners to remediate and mitigate against some of those risks.
It's the only real way to get a handle on supply chain cyber risks.
Contact Digital Hands
Digital Hands employs a deeply experienced team of cybersecurity professionals who can help your business get to grips with your supply chain risk exposure. We can help you implement controls and handle third-party prevention by discovering which of your partners has access to your systems and making sure that they are taking steps to protect that access.
If you or your partners need a competent security services provider to ensure that you are making the right moves with supply chain security, get in touch with Digital Hands today.