Written by Harshini Carey, Information Security Specialist at PGI
Warnings about emerging and increasingly sophisticated cyber threats are now a daily occurrence, but one particular threat vector which has consistently surfaced throughout 2020/2021 is the growing threat from supply chains and third-party cyber risks.
A recent survey by cyber security firm BlueVoyant—which involved over 1,500 Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) from across the globe—identified that as many as 77% have limited visibility around their third-party vendors and that 80% have suffered a third-party related breach in the past 12 months.
Talking about why that matters, it hasn’t been confirmed, but according to a number of cyber security experts, that data breach British Airways was fined £183 million for last year, was most likely a supply chain attack. Even though the fine was eventually downgraded, the airline suffered heavy reputational damage. And so, the message from the ICO is very clear – if you don’t treat your customer data with the utmost care expect to be penalised when things go wrong. Would you be happy to give them your credit card details knowing that they might be breached again?
What does a supply chain attack look like?
Often, we think of supply chain as a physical thing – it might be a truck delivering stock from wholesaler to retailer or it might be a manufacturer of a machine part being delivered to the company that assembles the end product. Supply chains are also digital. Let’s take two very recent and high-profile attacks as examples: SolarWinds and Accellion.
In these attacks, highly capable cybercrime groups have identified that targeting large technology companies is a major force multiplier in terms of the number of victims and potential profitability. Rather than targeting single victims for modest ransoms, groups are increasingly targeting third-party vendors so they exploit access to a wide range of cross-industry targets in one attack.
So, just to recap: The SolarWinds attacks in December 2020 attracted worldwide publicity when around 18,000 SolarWinds customers installed a malicious software update that compromised companies, including the top ten US telecommunications companies, the top five US accounting firms, and elements of the US Military, the Pentagon and State Department. No small feat. Around the same time, another less publicised, but equally significant, security issue emerged with a security software provider called Accellion. They suffered a breach in their File Transfer Appliance (FTA) tool which resulted in many clients having sensitive data exposed. The list of victims include Shell, supermarket giant Kroger, Singtel, Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC) and many federal and government organisations across the globe.
This far-reaching impact led to the issue of a joint security advisory from the UK, US, Australia and Singapore about the ongoing attacks and extortion attempts.
We could also take the NotPetya attack in 2017 as an example and, of course, we can’t forget the most infamous example of a cyber attack via supply chain, Target in the US in 2013. More often than not, the affected companies listed in the media are high-profile, but what those lists don’t show are the companies without a well-known name.
Mitigating the risks of supply chain attacks
Regardless of the size of the company, the BlueVoyant research shows that nearly 80% of information officers have only limited visibility around their organisations’ third-party vendors in general, let alone their security posture. Here are our recommendations for mitigating the risk of supply chain attacks:
Supplier risk assessment programme
We recommend establishing a formal third-party risk management program to help risk assess suppliers based upon criteria such as whether third parties need access to the organisation’s data or systems, and how business critical they are to organisation processes. This will enable CISOs and CIOs to identify and prioritise the suppliers posing the highest risk and requiring the most scrutiny and controls. An Information Security expert will be able to help you identify your risks and set up a framework to manage them.
Embed a patching regimen
It is very important that organisations do not postpone any software updates as this is exactly what many criminal groups rely on; the software they are seeking to exploit is usually an outdated version. For any required security software updates, we also recommend that they should be downloaded and tested in a safe and limited environment before they are rolled out across an entire company network. This is to ensure that if any issues occur or devices are adversely affected, the update can be uninstalled and rolled back to a safe version without causing any significant damage to company-wide devices.
The zero-trust approach
A further consideration that is being increasingly advised by security companies is the adoption of a zero-trust security approach. Many traditional technologies allow users to have unrestricted access to everything within a network which enables the kind of lateral movement and access escalation that was seen in the recent SolarWinds attack once the network had been initially compromised. A zero-trust architecture would have ensured that no one from inside or outside the network was trusted by default and verification would have been required whenever the attackers attempted to access wider network resources.