As reliance on remote work and digital commerce increases, so does the risk of sustaining a supply-chain attack, as supply chains are growing increasingly complex and many organizations have yet to fully map all of the vendors that come in contact with their data.
What is a supply chain attack?
A supply-chain attack, also commonly referred to as a third-party or value-chain attack, occurs when a malicious actor accesses an organization’s network by infiltrating a business partner or supplier that comes in contact with its data.
These attacks come with significant financial and reputational consequences. For instance, in 2013, Target suffered one of the largest breaches in retail history when hackers accessed customer payment information by infiltrating one of the company’s HVAC suppliers’ networks. Payment information of over 40 million customers was exposed, resulting in upwards of 90 lawsuits and $61 million spent in response to the breach.
So what can be done to prevent these costly incidents? Here are 8 tips to reduce the risk and impact of supply-chain attacks.
1. Determine who has access to sensitive information
While digital transformation ultimately drives growth, it also affects an organization’s attack surface as new endpoint devices and vendors are introduced. Many companies have yet to identify all of the vendors who come in contact with their data. In order to manage these complex digital footprints, companies should map their third-parties to the data they handle in order to prioritize third-party risk management activities. In many cases, smaller organizations pose a greater risk, as they don’t always have the sophisticated security technology and controls that larger organizations do.
2. Identify assets most likely to be targeted
Understanding what motivates malicious actors and which assets—such as intellectual property or customer information—are most likely to be attacked is an important step in identifying which areas of the supply chain need protection, and how to prioritize investments to protect those assets. Security teams can monitor the safety of digital assets with third-party risk management platforms that provide fast and ongoing visibility into threats within complex supply chains.
3. Conduct third-party risk assessments
Conducting rigorous assessments is essential to understanding vendor risk. A thorough assessment includes measures such as simulations to test incident response capabilities, penetration testing, and on-site inspections. On the technology side, security ratings help organizations obtain a quick and accurate view of vendor security posture, and some providers offer questionnaire validation products that map to compliance frameworks such as NIST, CMMC and GDPR.
4. Apply vendor access controls
Hackers look to access data by way of the path of least resistance, which in many cases, is to infiltrate a company’s network via one of its suppliers. In addition to understanding who has access to digital assets, it’s important for companies to implement strong perimeter controls for vendor access such as multi-factor identification and network segmentation. Vendors should only have access to the information they need to provide their services, and only for as long as they need it.
5. Manage shadow IT
The recent shift to remote work has resulted in accelerated cloud adoption as well as a bring-your-own-device explosion as employees log on to work off premises. Devices or software that IT departments lack direct control over, or shadow IT, require careful and ongoing oversight. Networks should be continuously monitored for unknown devices, and IT departments should issue guidelines so that various business units can understand which technology purchases create security or compatibility issues. While shadow IT introduces risk, it’s also important to examine the need it fills for employees, and how that reflects upon the current state of IT within a company.
6. Identify insider threats
Whether through malicious intent, carelessness or lack of training, employees represent a significant insider threat to information security. Targeting employees or business partners with social engineering or phishing campaigns is one of the easiest ways for cyber attackers to infiltrate a network. While it can be difficult to know when privileged access has been abused by a malicious actor, technology that continuously monitors network activity can automatically alert security teams when credentials may be compromised.
7. Include security language in vendor contracts
Cybersecurity language has an important place in supplier contracts when it comes to having strong information security policies built into vendor relationships from the start. Common stipulations include the right to re-assess a third-party’s security practices and controls, the right to be notified of a breach within a specified timeframe, as well as provisions that dictate how data will be handled throughout the lifecycle of the engagement.
8. Collaborate with third-parties
Establishing meaningful vendor relationships based on trust, transparency and collaboration goes a long way in driving effective joint security efforts. Having a strong partnership makes suppliers more likely to work cooperatively with their customers when it comes to mutual cyber risk management activities such as penetration testing, vulnerability patching, and responding to security questionnaires.
How SecurityScorecard can help
Continuous monitoring is a pillar of many of the third-party risk management activities discussed above, and SecurityScorecard helps companies continuously monitor their networks and their third-parties, so they can respond to security issues in real time and engage in productive, fact-based conversations around remediating security issues.