The last few years has seen a growth in the number of service providers and suppliers having access to sensitive data, and with it a growth in supply chain attacks – in other words, an attack carried out on your system via an outside provider or partner who has such access. Today, we talk to Patrick Carolan about the external threats that exist through the supplier chain.
Patrick, what is your top line view on the external cyber security threats that exist through the supplier chain?
Simply put, cyber-attackers now have so many tools and targets at their disposal that supplier chain threats have never been so high. We have seen a real growth in cyber security awareness in recent years, partly due to the fact that there have been so many different cyber-attacks and partly because of the introduction of new data protection legislation such as the GDPR, for example.
Can you give us some examples of supplier chain attacks?
One of the higher profile attacks was the one aimed at Equifax back in 2017, when hundreds of millions of customer records were exfiltrated in a major data breach. Afterwards it was discovered that there had been multiple security failures that had allowed attackers to access a web portal and then other servers, where they were able to locate usernames and passwords that were written in plain text.
It doesn’t sound like they had a very robust framework in place.
Apparently not, I believe they had even neglected to renew an encryption certificate on an internal security tool, which just goes to show how important it is to keep on top of every little detail when you are dealing with cyber security.
That was certainly a high-profile example, do you have other examples, or perhaps you can somehow give us a better idea of the scope of these types of attacks?
I remember reading the results of a survey in late 2018 / early 2019, which stated that over 50% of organisations had experienced a breach caused by a vendor. I think it was the same report that placed the unauthorised sharing of data by third parties as the second biggest fear for IT professionals that year.
Why might that have been the case, do you think?
For one thing, the risks remain even after a relationship is terminated because contracts don’t tend to tackle that particular process in an adequate fashion. Plus, as I mentioned before, new cyber security regulations are being introduced specifically to bring more focus to third-party risks, risks which most companies still struggle to comprehend fully even now. That lack of understanding led to an increase in breaches, as did growth in the open source market.
You are saying that open source market growth generated more data breaches?
Absolutely, there is a huge risk involved when you are dealing with multiple outside vendors for software and hardware, with every single piece needing to be vetted for potential security threats. It wasn’t so long ago that a spate of cyber-attacks were launched against Magento, for example. The bigger problem is that if there is a flawed component and it is deeply embedded into your product, then there is a very good chance it will cause issues in the future. You have to be very mindful of the fact that some software or hardware has been deliberately tampered with at some point in the supply chain.
You mentioned software and hardware, but what about the risks and threats to the cloud?
Good question, with so many companies and organisations moving away from ‘physical’ data centres to embrace cloud storage solutions, it is only natural that would-be hackers will shift their focus, too. I suppose it comes back down to the fact that you have to be aware of absolutely every potential threat out there in order to stay as secure as possible. Attacks on the supplier chain are growing in terms of numbers but also in terms of how sophisticated they are, and any time a new piece of technology is added into the mix, somebody, somewhere, will find a way to penetrate it. The key is really to build a robust security roadmap that takes all risks and threats into account, and that has an innate understanding of them and how to deal with them. At CRIBB, we always try to adopt a ‘security by design’ approach in everything we do, which we have found to be a very effective stance as you are being proactive rather than being reactive. It isn’t always possible and even when it is, you often find yourself reacting to new developments, but that is the challenge.
Be proactive, good advice; can you give us some more tips on how to manage third-party risk?
Well, be thorough, be proactive, really just go the extra mile when you are analysing security policies and privacy policies for existing and potential suppliers. You need to be 100% confident that they are doing everything they can to reduce breaches, and do not assume that the larger, more well-known they are, the better and more robust their security infrastructure will be. There are lots of companies who now actually demand a commitment to security from their partners, asking them to carry out self-assessments and audits, for example. Ultimately, you are only as secure as your weakest link, whether that be in your own defences or in one of your partners’.
CRIBB Cyber Security is part of theICEway ecosystem of companies, which has provided a complete digital solution for clients in healthcare, cruise, travel & retail for more than 20 years. Our experts, Patrick included, are highly skilled and always willing to go the extra mile. They are dedicated and passionate, spending hours each day reading through legislation and documentation, all so that they can improve their own understanding of the ever-changing world of cyber security.
GDPR – The General Data Protection Regulation, a regulation in EU law on data protection & privacy
Magento – A popular, open source ecommerce platform
To reiterate Patrick’s words, make sure that you take as keen a look at your partners’ existing cyber security processes, procedures and policies as you do your own. If you need any advice, our experts can help.