Blindly trusting your suppliers on their security posture is not sustainable

The world is built on supply chains, which are the fabric of the business system. However, these networks of overlapping and interrelated supplier companies are increasingly complex for enterprise security workers.

SMEs, in particular, may not proactively seek or have the resources to manage security in their supply chains. However, blindly relying on what their partners’ and suppliers’ cyber security managers say is not sustainable in the current scenario. It is one of our own security blind spots, as many of them have access to sensitive company information or business-critical infrastructure.

What is supply chain risk?

Supply chain cyber risks can take many forms, from ransomware and data theft to denial of service (DDoS) and fraud. They can affect traditional suppliers, such as professional services firms (lawyers, accountants, etc.) or enterprise software providers. Attackers can also target managed service providers (MSPs) since attacking such a company simultaneously gives access to all of its business customers. In fact, a 2023 study revealed that 90% of MSPs suffered a cyberattack in the previous 18 months.

Here are some of the main types of supply chain cyber-attacks and how they happen:

Compromised proprietary software: Cybercriminals are getting bolder. In some cases, they have found ways to compromise software developers and insert malware into code that is then delivered to downstream customers, leaving the criminals to follow the trail.

Attacks on open source supply chains: Most developers use open source components to speed their software projects to market. But the bad guys know this and have started inserting malware into the components and making them available to users in popular repositories. One report states that there has been a 633% year-on-year increase in such attacks.

Vendor impersonation to commit fraud: Sophisticated attacks known as ‘business email compromise’ (BEC) sometimes involve fraudsters posing as vendors to trick customers into transferring money to them. The attacker usually hijacks an email account belonging to one or the other.

The attacker usually hijacks an email account belonging to one or the other party; monitoring email flows until the time is right to intervene and send a fake invoice with altered bank details.

Credential theft: Attackers steal suppliers’ usernames to breach their identity or that of their customers (to whose networks they may have access).

Data theft: Many vendors store sensitive customer data, especially companies like law firms, which are privy to intimate corporate secrets. They represent an attractive target for threat actors seeking information they can monetize through extortion or other means.

How to assess and mitigate supplier risk?

Whatever the specific type of supply chain risk, the result can be the same: financial and reputational damage and risk of lawsuits, operational disruptions, lost sales and angry customers. However, it is possible to manage these risks by following industry best practices. Here are eight ideas:

Conduct due diligence on any new supplier. This means checking that their security programme meets your expectations and that they have essential threat protection, detection, and response measures in place. Software vendors should also be checked for a vulnerability management programme and their reputation for the quality of their products. How can I check?

FIRST STEPS

1. a) Conduct a risk review of all vendors. Start by finding out who your suppliers are and checking whether they have basic security measures. This should extend to your supply chains. Conduct frequent audits and check their compliance with industry standards and regulations where appropriate.
2. b) Maintain a list of all your approved suppliers and update it regularly based on the results of your audits. Periodically auditing and updating the list of suppliers will enable organizations to conduct thorough risk assessments, identify potential vulnerabilities and ensure that suppliers comply with cybersecurity standards.
3. c) Establish a formal policy for suppliers. This should outline the requirements for mitigating supplier risk, including the service level agreements that must be met. As such, it serves as a foundational document outlining the expectations, standards and procedures suppliers must meet to ensure the security of the entire supply chain.

THEN…

Once this first step is clear, the second step is simple: attack them. Let’s do what a responsible hacker would do: do a digital walk around the perimeter, looking from the outside, where they have a digital crack to get in, some vulnerability in their digital perimeter.

Then, he scours their deepest vulnerabilities on the black market on the Web and on the Deep Web. In short, it scans your digital footprint and risks before closing any deals. It is not intrusive. Whatever you find, it’s because it’s available—for you who don’t want anything bad and for those who do have bad intentions.

This security check is reliable because you have done it.

…AND FINALLY

Then, manage supplier access risks. Apply the principle of least privilege among suppliers if they need access to the corporate network. This could be applied as part of a zero-trust approach, where all users and devices are untrusted until verified, with continuous authentication and network monitoring adding an additional layer of risk mitigation.

Develop an incident response plan. In a worst-case scenario, ensure you have a well-rehearsed plan to contain the threat before it can affect the organization. This will include how to liaise with teams working for your suppliers.

Consider applying industry standards. ISO 27001 and ISO 28000 have many valuable ways of achieving some of the abovementioned steps to minimize supplier risk.