Supply chain attacks are on the rise. Over 95% of companies have already been impacted – directly or indirectly – by a supply chain cybersecurity incident. Jaime Arze, Manager II, Third Party Risk, Datto, tells us how SMEs can best protect themselves.
Over the past few years, we’ve seen a surge in supply chain attacks such as the highly publicised SolarWinds and Log4j incidences. In fact, from 2021 to present day, third-party attacks have risen a whopping 650%. Whether directly or indirectly, more than 95% of companies have been impacted by a supply chain cybersecurity incident and according to Microsoft, it is only going to get worse.
While any organisation is at risk, given their reliance on third-party vendors, coupled with a lack of bandwidth and security presence, small- and medium-sized enterprises (SMEs) remain particularly vulnerable. Unfortunately, many SMEs appear unsure on how to prepare or respond to these types of cyberattacks. Although the situation sounds dire, there are mitigating actions that every SME should put in place to minimise the risk, exposure and impact of a supply chain breach. Things like reviewing their infrastructure, asking suppliers the right questions and creating a culture of transparency and accountability with vendors and partners should no longer qualify as optional.
Evaluate your infrastructure
To minimise supply chain attack risks, SMEs should conduct a comprehensive audit of their IT environment, which needs to include efforts to discover any unapproved shadow IT. Hardware and software asset inventories are essential components of any cybersecurity framework. SMEs need to also conduct an inventory of their vendors in order to properly evaluate exposure.
Since security considerations do not stop at the perimeter of your networks, you must take into consideration the posture of the vendors and partners who process your data and integrate with your systems and those you rely on for day-to-day operations. You need a clear understanding of what hardware and software is used, where the security gaps lie and which vendors and partners the business relies on – including the nature of those interactions, from processing proprietary or operational data to system interfaces and various levels of integration. It’s critical that the SME has a full understanding of the security gaps and risks their vendor and partner relationships may expose over time.
Do you know how critical each vendor is to the business? Are there supplier redundancies or unnecessary relationships? If so, they need to be promptly evaluated and addressed. Based on the type of service delivered, every vendor or partner entering or leaving should be accounted for in a system of record. Keeping an up-to-date inventory of vendors/partners and centrally managing those relationships is a good starting point for identifying and minimising any inherent risks. With deeper knowledge of your vendors/partners, you’ll gain a clearer view of potential exposure, allowing you to greatly minimize the attack surface area. Additionally, a centralised vendor portfolio provides many advantages such as the ability to tier suppliers to fast-track procurement of low-risk vendors/partners.
Get answers to the right questions
Not all vendors are created equal and with resources being scarce, you need to make the most of your security resources. First, prioritise those vendors/partners that matter the most. Next, focus on the suppliers whose compromise could cause the greatest damage and disruption to your operations, as well as impact your customers.
To get you started, here are some questions to help you assess the strength of your vendors’ security posture. Ask about their vulnerable areas. Find out what proactive measures they are taking to improve defences. Can they demonstrate that they are safeguarding the confidentiality, integrity and availability of their client’s data in the same way you would? When asking security questions, being specific will result in more precise responses. Identify and evaluate what risks your suppliers might be exposing you to over time and find out what they are doing to close those gaps.
Each vendor in your portfolio should be able to explain how they are protecting themselves and their customers against attacks, including how they restrict access to systems and how they encrypt data. Do they – as a minimum – follow industry standards? When requested, vendors should be able to show independent audits of their security performance. Finally, come to each of the vendor meetings with a list of clearly defined requirements and be prepared to ask some difficult questions.
Create a culture of transparency and accountability
The ever-increasing number of suppliers that have access to an SME’s systems and sensitive data is making it relatively easy for threat actors to target less secure elements in the supply chain. Hackers piggyback on trusted vendor and partner relationships to deliver malware to customers. Using this pipeline gives them the ability to bypass security measures and to propagate a single attack to hundreds, if not thousands, of end-users simultaneously. It’s been estimated that 62% of supply chain attacks exploit the trust between an SME and their suppliers. This makes it imperative for SMEs to follow up on the findings after the initial risk assessment is complete.
Once the criteria for identifying your most critical vendors and partners have been established, develop an appropriate way to evaluate them based on their tier. On a continuous basis, you need to measure vendors in a way that mirrors your own internal requirements. In most cases, Tier 1 vendors should be treated as an extension of the business, and thus should have similar or better policies, procedures, processes, and capabilities than those you have set for your company. Whereas Tier 3 vendors, such as office suppliers, will only have access to public data, marketing data or administrative data and have no integration to your environment or products, making them close to a negligible risk.
When it comes to Business Continuity and Disaster Recovery (BCDR), it’s important that you set clear expectations with your vendors and partners. Be sure their Business Continuity plans are built and tested to withstand the unforeseen, not just comply with a requirement. If availability is a concern, firm SLAs need to be built into the contract and the vendor/partner should have an adequate and well-documented incident response plan. If they don’t have a formalised and tested BCDR strategy to review, work with them to put one in place.
Since managing vendors and partners is an ongoing process, not a one-off exercise – perseverance is required to keep relationships transparent. As your suppliers’ security programmes evolve and improve, they should be able to demonstrate that they can adapt to changing threats.
In addition, as vendor/partner relationships grow, so must the level of diligence and security expectations. Every contractual relationship comes with a degree of accountability. Contractual security language will not only protect your company by having vendors abide by best practices, but it will also set the cadence for the entire relationship. It will bind both you and the supplier to standards that should be met in the event of an incident: Things like incident response, data retrieval, data ownership, rights to an assessment, etc. should all be termed upfront.
SMEs can and must demand quality security outcomes from their vendors and partners. Remember, the status of a trusted supplier is earned not through the length of a relationship, but from greater transparency around security. Ultimately, this trust will help you minimise risk, exposure and impact from supply chain attacks.