ITProPortal | Supply Chain Attacks Highlight Why You Should Continue to Be Careful with Third-Party Providers

ITProPortal | Supply Chain Attacks Highlight Why You Should Continue to Be Careful with Third-Party Providers

This article was originally published on ITProPortal.

One year on from SolarWinds, governments and enterprises still have work to do.

It is nearly one year since we saw a nation-state attack on the SolarWinds network management system that compromised the supply chains of over 18,000 organizations, including the Pentagon and the Department of Homeland Security. With costs likely to run into the billions, the breach was one of the biggest incidents in recent years with costs likely to run into billions of dollars. Sadly, the Kaseya VSA supply chain attack in July further highlighted that these types of attacks will not be the last and increase in frequency.

What is a supply chain attack? And why we should care

A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. This has dramatically changed the attack surface of the typical organization in the past few years, with more suppliers and service providers touching sensitive data than ever before.

New types of attacks, growing public awareness of the threats, and increased oversight from regulators is highlighting this growing trend. This means businesses and governments must do everything in their power to keep its supply chains running smoothly, or they risk losing sensitive data and harming your business’ reputation and potentially resulting in operational downtime, financial losses, legal action, and regulatory fines.

Motivations and the biggest threats

Supply chain attacks are attractive to hackers because when commonly used software is compromised, the attackers can potentially gain access to all the enterprises that use that software.

Below are three of the biggest supply chain security threats that organizations and governments need to be aware of:

1. Data Protection 

Data is an essential tool in keeping any business running. But it is also equally important to protecting your data from breaches and attacks. Data protection is vital in certain industries such as health care, fintech and e-commerce, but with these industries ever-growing and profitable, attackers and bad actors have plenty of incentive to launch attacks.

2. Data Governance

As we live in a post-pandemic world, we are seeing more companies adopt remote working and encourage their employees to talk via project management software and mobile apps. So, the surface area the business must oversee has become larger. organizations must use best practices for handling threats and enforce new standards on how their employees and suppliers’ access and share data.

3. Third-Party Risk

Everyday products like computers, mobile phones and even cars are growing more complex, as are software solutions that incorporate multiple cloud services. They may require four or more supplier tiers to reach the finished solution or product. Although better products are good for the market, working with external partners also increases the risk to the supply chain.

How to prevent supply chain attacks

Last year’s SolarWinds Orion data breach not only demonstrated the devastating potential of supply chain attacks, but it also exposed concerning vulnerabilities in conventional defense methods that make such attacks possible. Even though the SolarWinds breach was one of the most sophisticated cyberattacks in history, there are still tactics and best practices that an organization can implement to significantly strengthen the digital supply chain. So, what are these steps?

Minimize access to sensitive data

First, all the sensitive data access points need to be identified. This will help you note all the employees and vendors that are currently accessing your sensitive resources. The higher the number of privileged access roles, the larger the privileged access attack surface, so such accounts need to be kept to a minimum. Vendor access should be especially scrutinized given their risk of being the first targets in a supply chain attack.

  • Map out all the vendors currently accessing your sensitive data and their respective access levels.
  • Questionnaires will help flesh out how each vendor processes and protects your sensitive data.
  • Once all third-party access data is acquired, the culling process can begin. Service providers should only have access to the minimal amount of sensitive data they require to offer their services.

Implement strict shadow IT rules

Shadow IT refers to all IT devices that are not approved by an organization’s security team. The recent global adoption of a remote-working model due to Covid-19 has resulted in many employees incorporating their own private IT devices while establishing their home office environments.

IT security departments should enforce the registration of all IT devices alongside strict guidelines about what can and cannot be connected. All permitted devices (especially IoT devices) should be monitored to identify DDoS attacks being launched from the supply chain.

Third-party risk assessments

The sad reality is that many vendors are unlikely to ever take cybersecurity seriously. Therefore, it’s up to the organization to ensure its supply chain is well defended. Third-party risk assessments help disclose each vendor’s security posture and any concerning vulnerabilities that need remediating.

Policy monitoring 

Monitoring the development of cybersecurity policies in key markets to identify current and upcoming compliance requirements, best practice guidance, and regulatory barriers will help to identify and prepare for upcoming issues. These would include domestic standards, security policies and certifications and export and import requirements.

Data protection and privacy

Alongside working with data loss prevention and security tools. Seeking guidance on monitoring and driving the outcomes of public policy debates and implementing strategies and policies in key markets form an important strategy for governments and businesses.

Standards development 

Many organizations should look at advocating for cybersecurity standards in regional and international bodies, including the EU, the ITU and the European Telecommunications Standards Institute (ETSI). Setting the right standards that fit the reality of the cybersecurity environment across various products and services is critical.

Procurement

Alongside promoting the adoption of cybersecurity technologies, policymakers need to play a part in guiding the development of rules for government procurement of these technologies in various markets worldwide, such as the EU, Canada, the US, Japan and India. In this way, governments can lead by example.

No silver bullet

In the wake of these significant incidents, time will tell what further fallout we may be seeing in 2022. The reliance on third parties is not going away anytime soon as businesses outsource expertise to save time and money. As more diverse services come online and businesses expand, the attack surface for any organization will likely grow.

Although there is no silver bullet to help organizations, these organizations can take a multi-layered approach to addressing this issue. Good data hygiene practices, proactive measurements and policy oversight can combat against impacts of damaging supply chain attack.

Related Articles

State of Broadband Report 2023: Global South and micro-businesses driving global connectivity

State of Broadband Report 2023: Global South and micro-businesses driving global connectivity

Report finds a fundamental shift from supply-driven communications access to demand-driven communication, particularly in the Global South. Entrepreneurs are one...

18 Sep 2023 Press
Australian Associated Press: Crunching the numbers on climate risk without greenwash

Australian Associated Press: Crunching the numbers on climate risk without greenwash

The carbon emissions of contractors or customers are no longer someone else’s problem under comprehensive reporting that will thoroughly quantify...

13 Sep 2023 Press
ComputerWeekly.com: The search for sustainable UK tech talent

ComputerWeekly.com: The search for sustainable UK tech talent

The UK has plans to become a tech superpower by the end of the decade, but the region still has...

8 Sep 2023 Press
African Wireless Communications: The African position – what’s at stake for satellite in Africa at WRC-23

African Wireless Communications: The African position – what’s at stake for satellite in Africa at WRC-23

Excerpt: “With the 8th Sub-Saharan Spectrum Management Conference recently ending, and the 4th African Preparatory Meeting now underway, discussions around...

1 Sep 2023 Press