The world has never been more interconnected, with cloud and digital technology allowing companies to flourish and succeed globally. However, this interconnectedness comes with elevated risk — partners, vendors, and third parties can expose companies and malicious hackers are known to target organizations through their supply chain. As a result, supply chain risk management has become a critical component of any company’s risk management and cybersecurity strategy.
In this article, we’ll go over the risks of supply chain attacks, how organizations can protect themselves, and how to reduce the risk that a supply chain attack may bring down an organization.
While there are general risks to be aware of when depending on various supply chain partners, we’re going to focus on active attacks that can affect you, like the one that impacted SolarWinds and its clients who happened to be many of the world’s major companies.
The SolarWinds attack was a wake-up call for many organizations. A state-sponsored hacking group successfully infiltrated SolarWinds, who provided infrastructure services to over 80% of the Fortune 500, federal government agencies, and hundreds of public educational organizations.
The attackers lurked in organizations’ networks, focused on evading detection and stealing information, highlighting how critical third-parties could be an exploitable point of vulnerability for even the world’s most successful companies. More than ever before, an organization’s supply chain must be part of any risk management strategy.
Supply Chain Risks
Supply Chain Risk Management is the act of ensuring your suppliers aren’t exposing you to any risks and managing the threat that could come your way if your suppliers are somehow attacked, breached, or succumb to some other kind of threat or incident.
There are a variety of threats facing your supply chain and knowing what they are is essential to ensure you’re protected and have the right process in place to mitigate the damage in the worst-case scenario.
Cloud-Based Vendor Risk
The emergence of the cloud has given companies the capabilities to rely on cloud-based vendors for many of their critical and non-critical business processes. Think content management systems, social media management, and database hosting and services, to name a few.
Attackers can target these critical vendors, knowing it could give them access to the data and/or systems of a high number of companies. However, if a malicious actor is specifically targeting your business, they may attack one of your less-critical vendors in the hopes that their security isn’t as up to par and may give access to your data.
Open Source Risks
Software vendors rely on open-source software in order to deliver their services or function properly, which creates a risk. Open-source software means the source code is public and it’s a way to make the software accessible, low-cost, and allows anyone to improve upon the source code.
While these are usually benefits that allow for more agility and community improvements while keeping costs low, it also allows a bad actor to comb through the source code and find any vulnerabilities they can expose and exploit. If you aren’t aware of the vulnerability, then you’re leaving yourself open to an attack.
Hardware (Backdoor) Risks
The risks aren’t all digital. The companies you’re relying on for your security cameras, your printers or your wireless connections (like modems and routers) also pose a risk. Hardware almost always comes with some digital or wireless component, widening an organization’s attack surface.
If these hardware devices have hardcoded passwords, minimal security, or if you’ve left the default passwords intact, you’re leaving yourself wide open. A malicious hacker who wants to obtain some sensitive data or reach your network via these devices can easily find their way in via these insecure devices.
How Organizations Can Reduce their Supply Chain Risk
Knowing the risks posed to your supply chain is only the start. To effectively manage your supply-chain risk, you need to approach it holistically and comprehensively, looking at internal and external factors.
Know Your Threat
Nation-state actors are constantly targeting companies, looking to steal IP, target companies who work with governments, or make their way in a company until they can either take down the network or siphon off information until they’re caught. These bad actors can leverage many of the risks detailed above or leverage multiple risk factors in order to attack a company’s third parties.
As we’ve mentioned before, the SolarWinds attack was the result of a foreign-based actor and the US has also barred telecommunication devices from certain countries from being used for critical infrastructure, citing national security.
Understand Each Supply-Chain’s Risk Profile
If a company like Slack is brought down, your organization’s capability to communicate will be impacted but you can still rely on other forms of communication. Ultimately, it won’t affect your business services.
However, if your cloud service provider is attacked and brought down, that may affect your website, your data, and your customers’ data, severely affecting your organization’s ability to perform its services.
Manage Your Vendor’s Integration
Let’s take the Slack example from earlier. If a bad hacker is specifically targeting your organization and knows Slack is a vendor, they may leverage vulnerabilities to try and access your organization’s Slack, find important data, lurk in sensitive channels, and even get inside your organization’s network.
But if you’ve set up your Slack (or similar vendors) with security in mind, you can ensure a vendor isn’t providing unnecessary access to your network or data.
Successful Supply Chain Risk Management Strategies
Managing your supply chain risk can be complicated, especially compared to securing your own internal systems and environments. It’s an ongoing effort and should be a consistent part of your overall risk management and cybersecurity strategy. Here are some tactical strategies to consider to protect yourself from supply chain attacks.
Understand Your Supply-Chain Ecosystem
Not having the right visibility of your supply chain will make managing risk incredibly difficult. You should work cross-functionally with other departments to make sure you have a list of all your supply chain vendors, third parties, and partners. From there, identify which of these vendors and partners expose you to the most risk. If attacked, will they impact your organization’s ability to perform or serve your customers? If they’re breached, does that expose your data or network?
Understanding how critical these vendors are will help you prepare the right incident response plan.
Limit Your Supply Chain’s Network Access and Integrations
Many hackers and threat actors actively try to reach an organization through their third parties, hoping to evade detection and take advantage of third-party’s poor security. However, if you have the right network segmentation in place, limit your third-party’s network access, and ensure they are only handling necessary data, you’re limiting the kind of damage a hacker can inflict on your own network.
Monitor Your Network For Any Suspicious Activity
You can’t prevent network access across your entire supply-chain environment, so make sure you have some kind of monitoring and tracking in place. If one of your supply chain vendors is acting irregularly and perhaps accessing unnecessary data or parts of your network, it may suggest a compromise.
Prepare an Incident Response Plan for Your Business Critical Vendors
For your business-critical supply chain vendors and partners, you need to plan for the worst-case case scenario and prep accordingly with an incident response plan. Imagine a worst-case scenario where a critical vendor is rendered incapable. How will you communicate with your customers? Is there another vendor or in-house solution you can rely on? How quickly can you get back to BAU while preventing further damage?
As you plan for these scenarios, prioritize getting back to business as usual as quickly as possible, minimize any data exfiltration, and ensure you have a communication strategy in place if the incident is publicized. This will ensure you can serve your customers without risking your own systems or network while also maintaining your reputation.
Putting It All Together
Ideally, supply chain risk management should be considered holistically and be part of an overall risk management framework. This ensures you’re managing your risk internally and externally and giving your department the best way to handle risks as your company grows internally and leverages any new vendors.
To learn more about how to keep your internal data safe and ensure it doesn’t fall into the wrong hands, check out Varonis’ Threat Detection & Response solution.