A chain is only as strong as its weakest link, and the weakest link in your organisation might be a third-party supplier that you have little to no control over. We live in an age of increased connectivity, where companies and their partners are digitally bound the moment they enter a contractual agreement. Regardless of how robust your security measures are, you’re only as safe as your most vulnerable vendor. In 2021 and beyond, this is the reality that businesses of all shapes and sizes should address as soon as possible
A supply chain attack, sometimes referred to as a ‘value chain’ attack, occurs when Cyber attackers infiltrate your system through an external partner with access to your data and systems. It’s not uncommon for an organisation to have dozens of third-party suppliers; in fact, the economy thrives on it. But while the interweaving of supply chains makes business more convenient and efficient, it also comes with a great deal of risk – and that risk threatens every business.
The SolarWinds breach that occurred in December 2020 is a prime example of this. Described by Microsoft as the “largest and most sophisticated cyberattack ever”, the SolarWinds attack was a supply chain breach that ended up threatening US national security, even impacting businesses such as Cisco, Belkin and Microsoft themselves. More than 18,000 customers were affected by the breach, which was carried out through the supply chain via a simple update that was pushed out to SolarWinds customers once their own network had been compromised. The SolarWinds incident was major headline news but was overshadowed by a tumultuous US election and the ongoing COVID-19 pandemic. Despite the lack of coverage in mainstream media, it’s still the loudest warning shot yet that businesses need to think carefully about their supply chains and security infrastructure.
One of the most concerning things about the SolarWinds breach is that it seemed to set a new precedent for supply chain attacks more generally. It was unique because it gained access to Cloud-based servers by first compromising internal networks, allowing the Cybercriminals to attack without raising any real suspicion. In other words, the SolarWinds breach was perfectly designed to take advantage of a hybrid set-up that combines on-premise and Cloud-based networks – which is precisely where an increasing number of businesses are heading in the ‘new normal’ work model. As of June 2020, around 58% of businesses worldwide were pursuing a hybrid approach to Cloud transformation. That figure is likely to rise considerably due to the pandemic and the trend towards more agile working. This means that all businesses, at least to varying extents, are vulnerable.
Open-source software is another potential vector of vulnerability. Open-source development is a great way of pooling developer talent to make a piece of software the best it can be, but it often comes at the cost of security. According to a recent report, 90% of today’s most popular applications contain open-source code, and at least 11% of those have known vulnerabilities. This type of vulnerability was the source of the Equifax breach in 2017, which ended up costing the company more than $2 billion.
Typically, a business would see TPRM (third party risk management) as a way to negate supply chain attacks. The idea is that if you have qualifying criteria that third-party vendors must meet in order to work with your business and carry out regular assessments, you can address the risk of a supply chain breach. What SolarWinds and other recent attacks have taught us is that this approach simply isn’t enough in 2021. So, what should businesses do?
There’s no doubt that CSOs and CTOs everywhere have a difficult year coming up. Many organisations have simply become too comfortable with legacy security software and outdated policies and processes. Nothing exposes these issues more than a sudden and dramatic shift to remote working. Businesses will need to build out their TPRM solutions, but they also need to consider updating security policies, network segmentation to reduce the lateral movements of any breach, and the principle of ‘least privilege’ to keep all tools and devices in their own virtual lane.
These processes and more will need to become a core part of a company’s day-to-day security if they are to increase their risk posture and guard against third-party supply chain attacks moving forward.