We’ve all heard the old adage that a chain is only as strong as its weakest link; unfortunately for you the weakest link in your organisation might be a third-party supplier that you have little to no control over. We live in an age of increased connectivity, where companies and their partners are digitally bound the moment they enter a contractual agreement. This means that regardless of how robust your security measures are, you’re only as safe as your most vulnerable vendor. This is the reality that all businesses should be addressing in 2022 and beyond.
A supply chain attack, sometimes referred to as a ‘value chain’ attack, occurs when Cyber attackers infiltrate your system through an external partner who has access to your data and systems. It’s not uncommon for an organisation to have dozens of third-party suppliers; in fact, this inconnectivity drives our economy. But while the interweaving of supply chains makes business more convenient and efficient, it also comes with a great deal of risk.
The SolarWinds attack
The SolarWinds breach that occurred in December 2020 is a prime example of this. Described by Microsoft as the “largest and most sophisticated Cyberattack ever”, the SolarWinds attack was a supply chain breach that ended up threatening US national security, even impacting fortresslike businesses such as Cisco, Belkin and Microsoft themselves. More than 18,000 customers were affected by the breach. The attack was carried out through the supply chain, using a simple update that was pushed out to SolarWinds customers once their own network had been compromised. The SolarWinds incident was overshadowed by a tumultuous US election and the ongoing COVID-19 pandemic but it was still major headline news. Despite the lack of coverage in mainstream media, it’s still the loudest warning shot that we have heard, alerting bsuinesses to the need to think carefully about their supply chains and security infrastructure.
Hybrid Cloud vulnerabilities
One of the most concerning things about the SolarWinds breach is that it seemed to set a new precedent for supply chain attacks. It was unique because it gained access to Cloud-based servers by first compromising internal networks, allowing the Cyber criminals to attack without raising any real suspicion. In other words, the SolarWinds breach was perfectly designed to take advantage of a hybrid set-up that combines on-premise and Cloud-based networks – which is precisely where an increasing number of businesses are heading in the ‘new normal’ work model. As of June 2020, around 58% of businesses worldwide were pursuing a hybrid approach to cloud transformation. That figure is likely to rise considerably due to the pandemic and the trend towards more agile working. This means that all businesses to varying extents, are vulnerable.
The dangers of Open Source Software
Open-source software is another potential vector of vulnerability. Open-source development is a great way of pooling developer talent to make a piece of software the best it can be, but it often comes at the cost of security. According to a recent report, 90% of today’s most popular applications contain open-source code, and at least 11% of those have known vulnerabilities. This type of vulnerability was the source of the Equifax breach in 2017, which ended up costing the company more than $2 billion.
Typically, a business would see TPRM (third party risk management) as a way to negate supply chain attacks. The idea is that if you have qualifying criteria that third-party vendors must meet in order to work with your business and carry out regular assessments, you can address the risk of a supply chain breach. What SolarWinds and other recent attacks have taught us is that this approach simply isn’t enough in 2021.
What should businesses do?
There’s no doubt that CSOs and CTOs everywhere have a difficult year coming up. Many organisations have simply become too comfortable with legacy security software and outdated policies and processes. These issues have been starkly exposed by the sudden and dramatic shift that many businesses have made to remote working. Businesses will need to build out their TPRM solutions, but they also need to consider updating security policies, network segmentation to reduce the lateral movements of any breach, and the principle of ‘least privilege’ to keep all tools and devices in their own virtual lane.
These processes and more will need to become a core part of a company’s day-to-day security if they are to increase their risk posture and guard against third-party supply chain attacks moving forward.