Securing your organization’s supply chain: Reducing the risks of third parties
When Stephen Hawking said that “we are all now connected by the internet, like neurons in a giant brain”, very few people understood the gravity of his statement.
But ten years on from his famous interview with USA Today, it’s safe to say Hawking was accurate. Today the web has established a global village, interlinking organizations, and allowing all businesses – large and small – to form close relationships, regardless of their geographic location.
But one drawback to this connectivity is cybercrime: digitally connected organizations offer criminals the potential to damage multiple businesses with a single attack.
The rise of supply attacks
A recent example of this happened following the ransomware attack on Change Healthcare, a subsidiary of the UnitedHealth Group, which left many health-care providers across the whole of the US out of pocket after they were unable to get reimbursed for their services by insurers.
This highlights how digitally connected organizations are dependent on each other, and when one link in the supply chain is broken it can have a cascading effect on others.
Another key issue with connectivity centers around data sharing and network crossovers.
When organizations outsource some of their services to a supplier, or rely on the services of another organization, there will almost always be a transfer of data. In some cases, partners may even need to access an organization’s network as part of their remit. But as soon as an organization’s data moves over to a third party, the risks around it increase.
Responsibility over the safety of the data still resides with the proprietor, but when it leaves their infrastructure, suddenly they are depending on the security of their partners to keep it safe. This can put the data at risk and expose it to cyber theft.
Just look at MOVEit, the highly publicized cyber-attack from 2023.
The Cl0p ransomware operation managed to exploit a vulnerability in the ubiquitous file transfer service, which allowed them to steal the files of many organizations that had used the software. In total, estimates suggest over 2,000 organizations were impacted, which affected 60 million individuals and cost around $10 billion. This shows that the interconnectivity of the web, while benefitting organizations, also increases management challenges, especially when data security is put at risk.
Unfortunately, these types of supply-chain attacks are becoming more prominent, and organizations don’t always need to be digitally connected to suffer the consequences. As organizations scale, this often grows their partner eco-system. It doesn’t mean all suppliers require access to the organization’s network – they could just be providing a service. However, a service disruption in the supply chain can have a significant impact on the organization.
It’s therefore important that all organizations carry out due diligence on their suppliers to understand the controls they have in place to protect their assets. When organizations enter partnerships, they should be confident that a cyber-attack on a supplier won’t take down their services as well.
How can this be achieved?
Vetting the supply chain
Despite the risks of supply-chain cyber security, there are still many steps organizations can take to vet their partners and improve their resilience against third-party attacks.
Some of the most important steps, include:
1. Inventory supply chain:
The most important step for organizations is understanding who their partners are. This needs to be an inventory of all partners across all departments, and it must evaluate if data is shared with the partner, what type of access they have into internal systems, and if the organization is dependent on the services of another supplier to function properly or carry out a service.
2. Identify critical suppliers:
Once this initial inventory has taken place, organizations must then identify their critical suppliers. These are the partners that support business as usual operations, either providing services required by the organizations, or providing a service on the organization’s behalf.
After these suppliers have been identified, the organization must then work hard to understand what access they have to their network and how data is shared with the supplier. It’s also important to understand the impact a breach on a partner would have to the business.
Could it put a critical service at risk? What would be the financial impact? How would customers be affected? These questions must be answered.
3. Questionnaires and control assessments:
Once all suppliers have been identified, it’s important to ask them to fill out questionnaires around cyber security practices as well as regulatory compliance.
Questions should focus on employee cyber awareness training, patch management, and their adherence to common security controls, such as NIST or ISO27001.
There should be no red flags in these questionnaires. If partners aren’t adopting comprehensive security measures, it’s time to disconnect. For critical suppliers, more detailed control reviews are recommended.
The most important thing is for businesses to have assurance that their partners are cyber resilient. Partners must demonstrate they have strategies in place which not only prevent attackers breaking into their systems, but also allow them to mitigate attacks quickly and effectively without impacting services or partners.
4. Technical measures:
For partners that require direct access to the network, it’s important to ensure they have a secure network connection.
In addition to this, where possible, it’s important to segment the network, so suppliers don’t reach any mission-critical data. The focus must be on limiting unnecessary exposure to partners, so criminals can’t exploit the network to pivot across to them and their data.
Conclusion
As more supply-chain attacks surface, third-party security is becoming critical for all businesses. Organizations must vet their suppliers, ensuring they practice good cyber security hygiene, while also working to limit exposure when attacks do occur on their partners.
Taking these steps is essential in today’s digital world. Just like Stephen Hawking predicted, the internet has connected us all, and theories around six degrees of separation have become a luxury of the past.