You’ve spent a lot of time locking down your network, but what happens if the threat comes from your supply chain? According to the director of the NCSC and the US’s top counter-intelligence official, William Evanina, “Supply chain infiltration is one of the key threats that corporations need to pay attention to, particularly how software vulnerabilities are exploited. To get around increasingly hardened corporate perimeters, cyber actors are targeting supply chains (Supply Management).” CrowdStrike conducted a study of 1,300 companies, and 66% reported a software supply chain attack, with nearly half of those being in the past year (BBC News). There can be little doubt that this is a serious threat to proprietary data, trade secrets and customer privacy. In order for companies to meet these threats, they must first understand what causes supply chain risks.
Supply Chain Risks
Supply Chain risks can be caused by a lot of factors:
- Poor information security practices of suppliers;
- Compromised hardware or software purchased from suppliers;
- Counterfeit hardware or hardware that has been embedded with malware;
- Third party service providers/vendors that have access to your devices, data and/or facilities;
- Software vulnerabilities in supply chain management or supplier systems; and
- Increasing the sophistication of cyber attacks originating from individuals, organizations and government agencies.
How to Prepare for a Supply Chain Cyber-Attack
While the threat of Supply Chain Cyber-Attacks is growing, luckily there are many ways that a company can protect against a supply chain cyber-attack. Here are some best practices:
- Third-Party / Vendor Management Program. Having a complete Third-Party / Vendor Management Program is crucial to reducing the risks of a supply chain cyber-attack. A good Third-Party Vendor Management Program will have security requirements and responsibilities included in every contract, a thorough vetting program that ensures that vendors meet your organization’s requirements, and an annual review process to ensure that security requirements continue to be met.
- Know Who Has Access to Your Data, Devices, and Facilities. This one piggybacks on the Third-Party Vendor Management Program, but it is critical to know who has access to your data, devices, and facilities. Your organization should conduct regular access reviews to make sure that old vendors, contractors, ex-employees, etc. no longer have access. Items to review would be your active user accounts, badge access reports, and facility key inventories.
- Purchase Software and Hardware from Reliable Sources. The old adage of if it seems to good to be true it probably is certainly applies to this one. Paying a little more can be worth it if it reduces or eliminates potential problems in the future.
- Implement Controls on Service Vendors. Access to software and devices by service vendors should be limited to only what they need / when they need it. Your organization may also consider observing all work that is done by service vendors either through a shared session or by escorting them into your facility.
- Develop an Incident Response Plan and Playbook. Having a plan to respond to a cyber-attack in a timely fashion can make all the difference. This plan should include an emergency communications plan in addition to identifying the team and responsibilities and establishing severity levels. Having a playbook is also a great way to ensure that your Incident Response Team is prepared to handle a variety of incident types. (It is also a great tool to help develop your newer IT employees as well.)
- Conduct a Cyber Risk Assessment. A proper risk assessment can help your organization identify areas that need additional controls to protect your network and sensitive data.
What Does this Mean to Your Company?
Understanding the risks of a supply chain cyber-attack and how to manage those risks can make all the difference when your organization is under attack. Intrinium specializes in conducting risk assessments and penetration testing, helping organizations manage their security programs and providing 24/7 network monitoring.
BBC News. (July 26, 2018) US Warns of Supply Chain Cyber-Attacks. https://www.bbc.com/news/technology-44941875
Supply Management. (July 24, 2018) Supply Chain Cyber Attacks Hit Two-Thirds of Firms: https://www.cips.org/en/supply-management/news/2018/july/supply-chain-cyber-attacks-hit-two-thirds-of-companies/