Supply Chains and Cybersecurity

How do you protect yourself if a vendor is hacked?

Modern cybersecurity is no longer just about shoring up vulnerabilities and stopping breaches in your own organization and networks. These days, businesses have to be alert to the possibility of cyberattacks throughout the supply chain and against their vendors as well.

Attacks on the supply chain have caused anxiety and worry in the cybersecurity community for a while now. The potential damage that can come from a successful cyberattack on a single supplier can be enormous due to a domino effect that can compromise a network of providers.

But given that protecting your own organization from cyberattacks is a difficult enough task, how on earth can you protect yourself from vulnerabilities in other people’s networks?

The supply chain cyber pandemic

Global supply chains are a complicated network of interconnected and interdependent relationships. Due to the complexity of the web of vendors, providers, and suppliers, a breach in one can lead to problems and insecurity throughout the chain. As you might expect, malicious actors are successfully exploiting these connections to breach more vulnerable, smaller parts of the chain and gain access to the larger, more lucrative links.

Cyber experts around the world agree that supply chains are facing their own cyberattack pandemic. In 2018, 56% of organizations have had a breach that was caused by one of their service providers, and suppliers are increasingly a target for attack. Infamous cases like the NotPetya attack in 2017 and the Kaseya breach in 2021 are just high-profile examples of an ongoing and increasingly concerning problem.

Why supply chains are vulnerable

“A supply chain attack is typically used as a first step out of a series of attacks. More concisely, it is used as a stepping stone for further exploitation once a foothold is gained to the target system.” - EU Agency for Network and Information Security

Supply chains are reliant on third-party relationships and a web of interconnected relationships. While larger organizations will have robust security protocols and protection measures in place, the nature of a supply chain means that they will still be vulnerable to the weakest links in the network. Information, data, and credentials will likely be held externally by organizations throughout the chain, and smaller suppliers may not have the required level of cybersecurity in place.

Supply chains can be exploited in a number of distinct ways:

Hardware

Hardware updates or replacements often fall by the wayside, particularly in smaller organizations, and so this is a common and often successful attack vector. From unsecured mobile phones to old computers, hardware is often the weakest link in the supply chain.

Software

Although software is easier and cheaper to update and replace, infiltration and compromise are still possible. Malware masked as legitimate software can be snuck into one network and then accidentally downloaded by millions across the world.

Service providers

This is probably the hardest nut to crack, but the one with the richest rewards. Managed IT services providers (MSPs) regularly hold the most confidential and lucrative data on their clients, so malicious access to these systems can be devastating. In 2017 we got a glimpse of what this could look like when PwC and BAE Systems uncovered Operation Cloud Hopper, one of the largest global cyber espionage operations ever seen.

How to prepare for a supply chain attack

Analyze your vendors’ security

The best way to prepare yourself for (and ideally prevent) a supply chain attack is by knowing exactly how secure your network of suppliers is. Third-party risk assessments on all vendors should be a matter of course, so you can build up an accurate profile of risk and security posture of your entire supply chain. This will allow you to choose suppliers on the basis of risk, as well as to be fully prepared to respond in the event of a breach.

Understand your vulnerability

It is, of course, impossible to prevent and prepare for every conceivable situation. However, as with any cybersecurity issue, some vectors and techniques are more common than others. Understanding and having a good knowledge of the most likely ways that you might be attacked through your supply chain will give you a head start if the worst happens. For example, bad actors often use legitimate credentials to gain access or take advantage of unpatched or redundant software. Once you have a full understanding of your own vulnerability, you can game out situations, shore up the necessary defenses, and prepare yourself far more effectively.

Secure your connection

You can, of course, ensure that your personal connection to the supply chain is as secure as possible. To do this, you have to identify every access point that third parties have to your network and analyze the security risk of each one. Ensuring that remote access is used infrequently, for example, or applying ‘least privilege’ systems can help in the event of an attack.

Check activity

Monitoring activity with your suppliers will help identify attacks before they take place. You should establish a baseline so that you know what ‘normal behavior’ looks like, then undertake regular checks to ensure that anything unusual is accounted for or addressed immediately.

Prepare a response plan

Finally, it is essential that you have a full response and recovery plan in the event of a serious breach. This will allow you to take appropriate action regardless of the situation and reduce your risk profile significantly. Containment, damage reduction, and disaster recovery are key when it comes to managing your supply chain risk.

If you want to learn more about the risks inherent in the supply chain or how to combat cyberattacks on third parties, suppliers, and vendors, get in touch with VC3, and our team will be happy to help!