7 Ways to Mitigate Supply Chain Attacks
Breaches caused by external vendors and service providers have become a major and escalating problem for organizations.
June 27, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc7df1ace34b4d9cd/64f0d47c3525566a50c78318/1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Breaches resulting from third-party security lapses are on the rise. Last year, 61% of surveyed US organizations said they had experienced a breach caused by one of their vendors or another third party. Some 75% said they believed such incidents were only going to increase.
The growing complexity of the third-party landscape bears much of that blame, according to the Opus/Ponemon Institute survey. While companies in the survey, on average, said they shared confidential and sensitive information with as many as 583 third parties, barely one-third had as much as an inventory of these entities. Some 69% said they did not have centralized control over third parties, and more than 60% did not have adequate resources for managing third-party risk.
In a separate survey conducted this year by BitSight and the Center for Financial Professionals, 97% of financial services companies said third-party risk were becoming a major concern. Nearly eight in 10 companies said they had already terminated a business relationship, or had ratcheted it down, over cybersecurity issues. Barely 22% said they were continuously monitoring third-party cyber-risk.
"Supply chains are difficult to secure. They create risk that is hard to identify, complicated to quantify, and costly to address," says Steve Durbin, managing director of the Information Security Forum.
Here, according to Durbin and several other security experts, are tips for managing third-party risks.
Security and risk mitigation requirements must be included in an organization's contractual agreement with third-party vendor and service providers, says Rocco Grillo, managing director with professional services firm Alvarez & Marsal. Requirements should include the ability for an organization to audit the third party's security practices and business continuity plans, establish performance standards, and clearly define default and termination terms. The contract should include provisions governing the use of foreign-based service providers and outline data governance and vendor subcontracting rules, he says.
"Ensure contracts include the right to audit the security posture of suppliers by your security team or a third party," adds Jason Haward-Grau, CISO at PAS Global. "For suppliers of software of any type, require certification of cybersecurity vulnerability assessment with each release by the supplier."
Vendor assessments are critical to third-party risk management. But how you do them can make a big difference between fully understanding your vendor's risk profile versus getting only a partial glimpse of it.
The key is not to reinvent the wheel each time you want to assess a vendor's cybersecurity posture, says Mike Jordan, senior director of The Santa Fe Group. "Vendors see thousands of questionnaires that say the same thing in different ways, which wastes the time of assessors and vendors alike," Jordan notes.
Only use and accept standardized questionnaire content, such as the Standardized Information Gathering (SIG) questionnaire, he notes. "It covers all areas of TPRM [third-party risk management], works for any industry, and has been crowdsourced and honed by hundreds of subject matter experts over 14 years," Jordan says.
TPRM is such a broad category that it is impossible to be an expert in all aspects, such as cybersecurity, privacy, financial stability, regulatory compliance, and operational resilience, he adds. "Get to know subject-matter experts in your industry and join member-driven organizations, like Shared Assessments, that discuss and educate on TPRM," says Jordan, a former program leader for IT risk and compliance with Campbell Soup.
Make sure to assess your vendor's ability to respond to and mitigate security incidents, Alvarez & Marsal's Grillo says. "Does the service provider have an enhanced and up-to-date incident response plan? Does the third party test the resiliency of the plan and go through simulated tabletop exercises?" he asks.
In addition, verify whether the service provider has outside forensics and legal support capabilities on retainer. Check whether your SLA includes not just the right to audit, but also the right to be notified of a material compromise or cyberattack within a set amount of time, Grillo says.
"Work jointly with third-party vendors to have joint red and blue teams that can conduct regular penetration tests," says Byron Rashed, vice president of marketing at Centripetal. The goal of these exercises should be to look for vulnerabilities, such as unapplied patches and potential attack vectors, that could put your data at risk. Verify that these vulnerabilities are remediated. "Ensure the third party has an adequate security stack that would prevent network infiltration and data exfiltration," Rashed says.
Also make sure to consider your service provider's security posture at the perimeter level, including mail server, controls against domain hijacking, the use of SSL certificates, and other security controls, adds Matan Or-El, CEO of Panorays. "Suppliers can certainly be expected to achieve a reasonable level of security," Or-El says. "It's important to engage with the supplier and pinpoint the issue so that they become aware of the problem, understand the issue, and know how to fix it."
Tom Kellermann, chief cybersecurity officer at Carbon Black, says any SLA with a service provider should include provisions for quarterly inside-out penetration tests and cyberhunt team exercises, with a remediation timetable of 72 hours. The SLA should include language for 24/7 intrusion notifications, just-in-time administration, and for increasing visibility by capturing all unfiltered endpoint data for 30 days.
Sometimes companies are forced to work with providers with less-than-stellar cybersecurity capabilities. The best strategy in these situations is to minimize risk exposure. "This includes being more vigilant about the information being shared and how it is shared," Panorays' Or-El says.
For example, take measures when working with a risky service provider, such as demanding and enforcing data removal after a certain period or limiting access to various systems, he says. Other options include severing all open network connections with the supplier or adding dedicated auditing for the supplier's communications.
"Continuously monitor the cyber posture of the supplier and receive live alerts on any significant changes," Or-El notes.
Of note, earlier this year, 55% of organizations in a Protiviti survey said they were extremely likely or somewhat likely over the next 12 months to exit or "de-risk" vendor relationships deemed risky.
Attackers target service providers because of the access they have to networks and systems belonging to customers. In many organizations, vendor access is only loosely monitored, and often companies have little idea of who can access their networks and what they can do with that access.
Companies should secure vendor access to their environments through strong security at the perimeter, PAS Global's Haward-Grau says. This can include measures like multifactor authentication and segregated access protocols. "Where possible, ensure vendors are using your systems to access your environment," he says. "Specify their user capabilities as external users of your infrastructure."
It's also critical to have a complete inventory of all cyber assets and who can access it. "Maintain an accurate and complete inventory of operational technology assets, from field sensors to process controllers and all the way through the enterprise network and the cloud," he says.
David Barton, CSO at Stellar Cyber, adds that in addition to requiring some form of two-factor authentication, all third parties should be isolated to a network segment with other network security controls. "Assume the zero trust model and only grant access to what the third party needs to perform their task," Barton advises.
Companies should do a thorough audit of who their digital third parties are and what data these third parties handle, says Chris Olson, CEO of The Media Trust. "Most companies know only a fraction of who their digital third parties are," he says. "In fact, many publishers and e-commerce businesses are surprised to find that there are at least 20 third parties who track information that users enter into payment pages."
To better understand the risk of utilizing a third party first, start with what information will be shared with a vendor, adds Kris Lahiri, co-founder and data protection officer at Egnyte. "Develop a standard template for the technical assessment of the vendor," he says. "The assessment should ask about their architecture, how they deal with customer data, their availability, etc."
Companies should do a thorough audit of who their digital third parties are and what data these third parties handle, says Chris Olson, CEO of The Media Trust. "Most companies know only a fraction of who their digital third parties are," he says. "In fact, many publishers and e-commerce businesses are surprised to find that there are at least 20 third parties who track information that users enter into payment pages."
To better understand the risk of utilizing a third party first, start with what information will be shared with a vendor, adds Kris Lahiri, co-founder and data protection officer at Egnyte. "Develop a standard template for the technical assessment of the vendor," he says. "The assessment should ask about their architecture, how they deal with customer data, their availability, etc."
Breaches resulting from third-party security lapses are on the rise. Last year, 61% of surveyed US organizations said they had experienced a breach caused by one of their vendors or another third party. Some 75% said they believed such incidents were only going to increase.
The growing complexity of the third-party landscape bears much of that blame, according to the Opus/Ponemon Institute survey. While companies in the survey, on average, said they shared confidential and sensitive information with as many as 583 third parties, barely one-third had as much as an inventory of these entities. Some 69% said they did not have centralized control over third parties, and more than 60% did not have adequate resources for managing third-party risk.
In a separate survey conducted this year by BitSight and the Center for Financial Professionals, 97% of financial services companies said third-party risk were becoming a major concern. Nearly eight in 10 companies said they had already terminated a business relationship, or had ratcheted it down, over cybersecurity issues. Barely 22% said they were continuously monitoring third-party cyber-risk.
"Supply chains are difficult to secure. They create risk that is hard to identify, complicated to quantify, and costly to address," says Steve Durbin, managing director of the Information Security Forum.
Here, according to Durbin and several other security experts, are tips for managing third-party risks.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024