In a world of ever-growing cybersecurity threats, it’s no longer enough to focus on your own company and its defenses and the fraudsters plotting to break through them. You also have to worry about the potential danger posed by third-party vendors in your supply chain.
“Compromising the right partner is a force multiplier for cybercriminals,” Verizon notes. In other words, it’s very efficient for them to compromise a supply chain vendor, because once that’s done, all the vendor’s clients are compromised too.
The danger associated with supply chain cyberattacks is often referred to as “third-party risk,” and there are two primary forms:
Effectively managing supply chain cyber security risk requires companies to extend their information security perimeters. Failure to do so, as Target and others have discovered, can lead to a range of consequences, from customer data breaches to account takeovers. Such events can cause operational disruptions; loss of data, including intellectual property; financial losses; and reputational damage.
"The principle of least privilege limits individual users’ access rights to ensure only vendor employees who need it will have access to your data. A vendor should have an identity and access management (IAM) policy outlining what access each employee will have to your data and what they are allowed to do with it."
To minimize third-party vendor risk, companies need to thoroughly review the information security policies and practices of their vendors before bringing them on and then at regular intervals.
Start by reviewing the vendor’s Service Organization Control 2 (SOC 2) report, an outside auditing firm’s evaluation of its controls. Make sure the vendor has implemented key security principles such as segregation of duties and “least privilege.”
The principle of least privilege limits individual users’ access rights to ensure only vendor employees who need it will have access to your data. A vendor should have an identity and access management (IAM) policy outlining what access each employee will have to your data and what they are allowed to do with it.
Companies should also investigate to see if a vendor has any technical vulnerabilities. For instance, does its software have all the necessary, up-to-date patches? Are its security settings properly set, allowing it to defend against unauthorized access? And is any of the vendor’s technology at the end of its life or no longer supported by the supplier?
You should review higher-risk vendors at least once a year. Also, consider reviewing vendors with access to your company’s most sensitive data and core banking processes on site, where your staff member or a contracted auditor can witness whether the vendor is actually practicing the principles such as segregation of duties and least privilege that are attested to in the SOC 2 report.
Companies can also use third-party information security ratings providers to bolster their evaluations. These providers will review a vendor’s technology controls and provide a report with a score. Be sure to choose a provider that is commonly used by your industry.
Also include in your evaluations a review of the vendor’s financial health and stability. This can tell you if the vendor is well-positioned and a healthy company, and therefore more likely to invest appropriately in information security.
Here are four actions you can take to protect your company against supply chain cyberattacks:
1. Stay informed. Keep abreast of news that might require you to take action to protect your systems and data from a supply chain attack. On June 3, 2022, for instance, software vendor Atlassian introduced software patches to address a critical security flaw affecting its popular Confluence server and data center products. By staying informed, users, including a number of U.S. federal agencies, were able to immediately block all internet traffic to and from the affected products and apply the patches.3
2. Use fewer vendors and evaluate each one more thoroughly. Using few vendors reduces the “attack surface” from your supply chain and thus your overall exposure to cyberattacks. It also makes it more manageable to conduct deeper and more effective security reviews.
3. Limit and control third-party vendor access. This gets back to ensuring that your vendors practice the principle of least privilege. You only want vendors to have access to data relevant to the functions they provide on your behalf. The more access to data a third-party has, the greater the risk for a cyber incident.
4. Identify and evaluate the controls of any fourth parties. Does your vendor contract with other parties that might have access to your network or data? For instance, you might have a company hosting your servers that subcontracts out to another company for database management. If that fourth party has connectivity with your systems or could potentially cause a disruption of your third-party vendor’s services, you need to subject that fourth party to a security review as well.
5. Increase the cybersecurity awareness of your employees. Regardless of where attacks originate, it’s important that you have employees who are alert and educated about potential cyber threats. According to the 2022 Verizon report, between social engineering attacks, human errors and misuse of privilege, “the human element accounts for 82% of analyzed breaches over the past year.”1 Educating and training employees on how to spot and report issues can have a major impact on reducing the risk of a cyber incident.
The potential for supply chain cyberattacks is a huge and growing risk for companies. These days, all businesses are connected to the internet, and the threat has only been magnified as we’ve moved from local to global supply chains.
As a result, it’s critical that all companies work to fully understand the risks they face related to third parties, have a complete list of all companies involved in any of their supply chain activities, and ensure they have the proper controls in place to protect themselves.
At U.S. Bank, your privacy and security are our priority. We’re constantly enhancing our systems to keep your data secure and provide seamless technology experiences. Learn more about protecting your organization with our fraud prevention checklist or contact U.S. Bank for help with your fraud prevention plan.
1. “Ransomware threat rises: Verizon 2022 Data Breach Investigations Report,” Verizon press release, May 24, 2022. https://www.verizon.com/about/news/ransomware-threat-rises-verizon-2022-data-breach-investigations-report
2. “Target to pay $18.5M for 2013 data breach that affected 41 million consumers,” USA Today, May 23, 2017. Available at: https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932
Also: “Inside Target Corp., Days After 2013 Breach,” KrebsOnSecurity, Sept. 21, 2015.
3. “Atlassian Releases Security Advisory for Confluence Server and Data Center, CVE-2022-26134,” Cybersecurity & Infrastructure Security Agency, June 2, 2022, https://www.cisa.gov/news-events/alerts/2022/06/02/atlassian-releases-security-advisory-confluence-server-and-data