If you were a hacker, how would you infiltrate a well-protected target? How would you get inside an organization that has a solid security framework and has invested millions in cyber security?
You’d probably attack their supply chain.
According to Symantec, supply chain attacks increased 200% in 2017. Why the surge? Hackers look for openings wherever they can find them. And today, the supply chain represents a huge target.
Organizations are increasingly dependent on suppliers and service providers to conduct business. These may include business function outsourcing providers (HR, Payroll, CRM), IT services and infrastructure providers (SaaS, IaaS, PaaS), hardware and software vendors, parts manufacturers, maintenance contractors, and more. And in many cases, these outside companies require access to customer systems and data to do their jobs.
If a supplier has a lax security program—or the organization that does business with them fails to implement proper controls—hackers can exploit the vulnerability to penetrate the defenses of larger organizations. Breaches at Target, Equifax, and Verizon, for example, all happened, at least in part, because of security problems connected with their supply chain. And let’s not forget the NotPetya attack last year where hackers infected a software vendor’s application and then used the vendor’s software update process to implant malware into the systems of unsuspecting organizations.
Small suppliers are especially vulnerable to hackers. They are typically lean organizations with small IT teams and tight budgets, so they have less money and fewer resources to invest in cyber security. And they move fast—which is a strong benefit of being lean. But being fast can lead to omitting or bypassing strong security controls in order to get the job done.
Use Extra Precaution with Suppliers
Your suppliers are part of your team. You depend on them. You trust them. They provide a valuable service to your organization, and they’re an essential part of your success. If they weren’t, you wouldn’t use them.
Hackers want to exploit these trusted relationships. So, you need to be extra careful when working with suppliers—especially suppliers you’ve never worked with before. Taking the following steps will help:
Maintain a Complete List of Suppliers – Do you have a comprehensive list of all the third party providers you work with? Do you know which ones have access to sensitive data? Many organizations don’t have this information. In fact, according to a survey conducted by the Ponemon Institute, only 35% of the organizations surveyed said they had a list of all the third parties they share sensitive data with.
Perform Due Diligence – Have you properly vetted all your suppliers? How will they ensure your data is protected? What process do you follow when signing up a new supplier or service provider? Make sure to follow a thorough, consistent process when reviewing any third-party supplier. And make sure their security processes are up to your standards.
Insist on a Strong Security Program – Regulations are making this easier. But just because a regulation exists, it doesn’t mean everyone will follow it. The responsibility for making sure that your third-party providers follow sound security practices is yours. Insist that they implement a strong security program. And if they won’t, then find another provider.
Audit Your Providers Regularly – Set it and forget it doesn’t work as a security strategy, especially when you’re working with suppliers. Make sure they are periodically audited. What was secure a day or a week ago may not be secure today. Things change in suppliers’ environments, and when you’re dealing with a smaller organization that doesn’t have the staff, budget, or cyber security capabilities, things can change pretty quickly. And that can leave you exposed as their business partner.
Audit All Third-Party Security Privileges – What data are you sharing with your suppliers? What systems can they access? What process do you follow to activate and deactivate supplier IDs and privileges? Make sure you perform regular audits of the security privileges granted to third-party providers. You don’t want suppliers to have access to systems and data that they shouldn’t have access to or the ability to perform critical system functions without authorization. And make sure you have a consistent process for monitoring and managing supplier IDs. If a supplier’s ID is compromised, you want to know about it before any damage is done.