Most businesses today are highly dependent on goods and services from vast networks of third-party providers. Studies find that the typical company has more than 500 supply chain partners, although large multinational brands often have 100,000 or more. While these relationships create economies of scale and operational efficiencies, they also create exposure to a variety of cyber threats.
Malicious actors now commonly exploit supply chains to distribute malware to mass numbers of victims simultaneously. In a typical supply chain attack, hackers plant malware in software provided by third-party partners. Customers become infected when they install or update the software.
Such attacks more than tripled in 2021, according to the federal government’s National Counterintelligence and Security Center (NCSC), and they are on pace to reach a new high this year. In a recent global study of CIOs, 82 percent admitted their organizations are vulnerable to cyberattacks targeting supply chains.
Organizations can limit their exposure by conducting robust due diligence before contracting with third-party vendors and suppliers. As part of the process, organizations should ask the following questions to evaluate a supplier’s ability to guard against supply chain threats:
How often do you conduct security assessments?
Ideally, vendor partners should be conducting risk and vulnerability assessments and penetration tests at least quarterly to identify and close any gaps in their security posture that would make you vulnerable. The assessment process should include an audit of all network and security devices to ensure that they are properly patched and updated.
How do you guard against phishing attacks?
Supply chain attacks typically begin with a phishing email that allows a hacker to compromise a vendor and exploit its customer connections. Your potential partners should have a well-developed employee awareness program that emphasizes good password hygiene. They should also employ content filtering techniques to screen emails, IP addresses and executable files for malicious content.
What threat detection tools do you use?
Today’s advanced malware variants leave no files or artifacts on infected systems, making them nearly impossible to detect with traditional signature-based antivirus and antimalware security tools. Endpoint detection and response (EDR) solutions use advanced behavioral analysis and machine learning algorithms to identify malicious files by their unique tactics, techniques and procedures (TTPs) and take steps to block them.
Do you restrict access privileges?
Potential partners should enforce the principle of least-privileged access, restricting users or devices from accessing any resources that aren’t explicitly approved for them. Even if threats get inside the network, privilege restrictions ensure they won’t have free access to critical systems and data.
Do you have cybersecurity insurance?
In addition to covering losses due to cyberattacks, insurance demonstrates a commitment to security. The provider would have had to show that they have multiple security controls in place just to meet underwriter requirements for issuing a policy. That includes the use of multifactor authentication, network access controls, incident response plans, network segmentation and more.
What level of security expertise do you have on staff?
IT vendors should be able to demonstrate a high level of commitment to information security. Look for providers that have a well-staffed security organization led by a chief information security officer (CISO). Additionally, look for vendors that hold top security certifications such as CompTIA Security+, Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Certified Cloud Security Professional (CCSP).
Verteks recognizes that organizations with limited IT expertise on staff may feel unprepared or uncomfortable having discussions about security with their supply-chain partners. We can provide important talking points and guidance, and we can help you establish a solid risk management program. Contact us to learn more.