The last few years has seen a growth in the number of service providers and suppliers having access to sensitive data. With that has come a growth in supply chain attacks. In other words, an attack carried out on your system via an outside provider or partner who has such access. Today, we talk to Patrick Carolan about the supplier chain and external threats that exist through it.
Patrick, what is your top line view on the external cyber security threats that exist through the supplier chain?
Simply put, cyber-attackers now have so many tools and targets that supplier chain threats have never been so high. We have seen a real growth in cyber security awareness in recent years. This is partly due to the fact that there have been so many different cyber-attacks. It is also partly because of the introduction of new data protection legislation such as the GDPR, for example.
Supplier Chain Attack Examples
Can you give us some examples of supplier chain attacks?
One of the higher profile attacks was the one aimed at Equifax back in 2017. Hundreds of millions of customer records were exfiltrated in a major data breach. Afterwards, it was discovered that there had been multiple security failures that had allowed attackers to access a web portal and then other servers. This allowed them to locate usernames and passwords that were written in plain text.
It doesn’t sound like they had a very robust framework in place.
Apparently not, I believe they had even neglected to renew an encryption certificate on an internal security tool. That just goes to show how important it is to keep on top of every little detail when you are dealing with cyber security.
Can you give us a better idea of the scope of these attacks?
I remember reading the results of a survey in late 2018 / early 2019. It stated that over 50% of organisations had experienced a breach caused by a vendor. I think it was the same report that placed the unauthorised sharing of data by third parties as the second biggest fear for IT professionals that year.
Why might that have been the case, do you think?
For one thing, the risks remain even after a relationship is terminated because contracts don’t tend to tackle that particular process in an adequate fashion. Plus, as I mentioned before, new cyber security regulations are being introduced specifically to bring more focus to third-party risks. These are risks which most companies still struggle to comprehend fully even now. That lack of understanding led to an increase in breaches, as did growth in the open source market.
You are saying that open source market growth generated more data breaches?
Absolutely, there is a huge risk involved when you are dealing with multiple outside vendors for software and hardware. Every single piece needs to be vetted for potential security threats. It wasn’t so long ago that a spate of cyber-attacks were launched against Magento, for example. The bigger problem is that if there is a flawed component and it is deeply embedded into your product, then there is a very good chance it will cause issues in the future. You have to be very mindful of the fact that some software or hardware has been deliberately tampered with at some point in the supply chain.
Cloud threats
You mentioned software and hardware, but what about the risks and threats to the cloud?
Good question, with so many companies and organisations moving away from ‘physical’ data centres to embrace cloud storage solutions, it is only natural that would-be hackers will shift their focus, too. I suppose it comes back down to the fact that you have to be aware of absolutely every potential threat out there in order to stay as secure as possible. Attacks on the supplier chain are growing in terms of numbers but also in terms of how sophisticated they are. Any time a new piece of technology is added into the mix, somebody, somewhere, will find a way to penetrate it. The key is really to build a robust security roadmap that takes all risks and threats into account, and that has an innate understanding of them and how to deal with them.
Be proactive, good advice; can you give us some more tips on how to manage third-party risk?
Well, be thorough, be proactive, really just go the extra mile when you are analysing security policies and privacy policies for existing and potential suppliers. You need to be 100% confident that they are doing everything they can to reduce breaches. Also never assume that the larger, more well-known they are, that the better and more robust their security infrastructure will be. There are lots of companies who now actually demand a commitment to security from their partners. Some ask them to carry out self-assessments and audits, for example. Ultimately, you are only as secure as your weakest link, whether that be in your own defences or in one of your partners’.
CRIBB Cyber Security
Our experts, Patrick included, are highly skilled and always willing to go the extra mile. They are dedicated and passionate, spending hours each day reading through legislation and documentation. They do this so that they can improve their own understanding of the ever-changing world of cyber security.
Glossary
GDPR – The General Data Protection Regulation, a regulation in EU law on data protection & privacy
Magento – A popular, open source ecommerce platform
Top Tip
To tackle the supplier chain and external threats, focus on your partners’ existing cyber security processes, procedures and policies. If you need any advice, our experts can help.