Third-party data breaches, ransomware attacks, and other cyber incidents are becoming increasingly common. And the risk has only increased as supply chains have expanded globally and large organizations have invested in overseas partnerships. This article will cover the pressing topic of cyber-supply chain risk management (C-SCRM) and share best practices for reducing risk and enhancing your supply chain resilience.
Many enterprise organizations invest in large and comprehensive security programs, but securing the extended supply chain against cyber disruption still remains enormously challenging. It’s therefore essential to gain visibility into not only your third-party security controls, but also the controls used by 4th and Nth-parties further down the supply chain.
Cyber-Supply Chain Risk Management (C-SCRM) is the process of understanding and mitigating cyber risks to your extended supply chain. Managing cyber risk in your supply chain includes taking precautions to secure your organization against direct attacks, as well as mitigating the risk of third-party breaches that can disrupt your ability to deliver products or services to your customers.
The statistics are certainly concerning, according to a recent Prevalent study:
21% of organizations experienced a third-party data or privacy breach in the past 12 months.
51% of respondents reported that their biggest challenge was not enough pre-contract due diligence to identify potential vendor risks.
10% reported a compliance violation related to a lack of third-party oversight.
Getting a handle on C-SCRM can help your organization make informed decisions and choose vendors that take cybersecurity and compliance seriously.
Ransomware is malicious software that prevents access to compromised computer systems, encrypts files on the systems, or threatens the release of sensitive stolen data until money is paid to the attacker. While ransomware has been around since the 1980s, technology advances have enabled criminal actors to attain new levels of scale and sophistication. Instead of mainly targeting SMBs to extort small sums as they did in the past, attackers are now targeting large corporations that are linchpins of the global supply chain.
It’s no surprise that ransomware has been a major news topic this year. For instance, there was the May attack that crippled Colonial Pipeline, causing a multi-week fuel shortage on the east coast of the United States. In June, JBS Foods, the largest meat supplier in the world, paid $11 million in bitcoin in response to a ransomware attack. This was followed in July by an attack against Kaseya that leveled ransomware attacks against thousands of businesses by way of the company’s remote monitoring and management (RMM) tool.
Software vulnerabilities are an often overlooked area of C-SCRM but can be absolutely devastating. Take for example, the recent Solarwinds Breach which left thousands of organizations and government entities IT infrastructure exposed to malicious actors for months. Using software with known vulnerabilities or with poor visibility into security practices can leave your organization vulnerable to significant disruptions, data breaches, and downtime.
Physical and virtual IT access is one of the most obvious areas where third parties can compromise your supply chain. Numerous companies have been hacked as a result of contracts that would seem to have low profiled risk. However, because these contractors had physical access to facilities and IT systems, they were used as a trojan horse by malicious actors to compromise enterprise organizations.
The Target data breach in 2013 provides an example of how risky third-party contractors can be, even for innocuous tasks such as fixing an HVAC system. The contractor in that case was hacked, and their accounts were leveraged to then gain direct access to Target’s IT infrastructure. This breach resulted in the compromise of millions of credit card numbers and other sensitive data.
In many cases cybercriminals don’t immediately hack accounts and steal data when they successfully compromise a company’s email accounts or networks. Instead they take the information and sell it on the dark web for bitcoin, monero, or other cryptocurrencies. This reduces risk for the criminal since they can immediately monetize the stolen goods without the risk required to actively break into accounts and steal data.
According to a recent Prevalent study, 10% of organizations reported a compliance violation related to a lack of third-party oversight in the past 12 months. Organizations are increasingly expected to not only secure personally identifiable information within their own organization, but also to proactively ensure that third parties are securing information. Regulations that you may want to consider include CCPA, GDPR, CMMC, and PCI DSS – among several others.
Free Supplier Risk Monitoring Report
Get a complimentary Prevalent Vendor Threat Monitor (VTM) report for your organization or a third party of your choice.
Vendor risk questionnaires can help provide visibility into suppliers’ cyber security controls and enable you to reduce the risk of violating compliance requirements. We recommend tailoring your vendor questionnaires based on profiled risk and mapping answers to cybersecurity regulations applicable to your organization. Tiering your vendor questionnaires in this way can dramatically speed vendor due diligence while simultaneously reducing compliance and cybersecurity risk.
You may also consider segmenting your questionnaires based on industry. For instance, a software vendor might require a substantially different questionnaire than an onsite HVAC contractor. Effective use of vendor risk questionnaires can simplify compliance, streamline vendor onboarding, and provide visibility into the extended supply chain.
Using a third-party risk management platform can dramatically simplify the process and reduce the time to gauge third-party vendors. In addition, vendor risk intelligence networks contain repositories that include thousands of already completed assessments that can dramatically speed up sourcing, selection, onboarding, and scoring inherent risk.
Bonus Tip: When designing your vendor risk assessment questionnaires, include questions about fourth and Nth parties to gain visibility into risks deeper down the supply chain. Even if your third party has sound cybersecurity controls, one of their vendors could still trigger a data breach that ultimately impacts your organization.
Understanding different types of vendor risk can enable you to make data-based decisions on how to apply vendor risk questionnaires, as well as to accurately compare vendors based on measurable risk. To put it simply:
Many organizations fail to consider that they may be able to mandate cybersecurity controls in contracts. SLAs and other contractual agreements can require third and fourth parties to legally obligate themselves to implement or maintain cybersecurity controls around your organization's sensitive data.
After you’ve onboarded a vendor, practicing continuous third-party monitoring is critical. In many cases, organizations can change their cybersecurity posture in the middle of an ongoing relationship. Without continuous cyber risk monitoring, your risk management program can be entirely in the dark related to a vendor's current cybersecurity posture.
A strong cyber risk monitoring solution will provide intelligence from criminal forums, onion pages, dark web special access forums, threat feeds, paste sites, security communities, code repositories, vulnerability databases, and other sources.
Many companies spend a great deal of time on vendor due diligence, risk questionnaires, and mapping compliance requirements, but fail to plan for the end of the relationship. However, in many ways vendor offboarding is just as important as vendor onboarding. Failure to successfully offboard vendors and ensure that sensitive data has been destroyed and that IT access has been revoked can result in:
Compliance issues if a contract has expired and the vendor still has access to IT systems
Potential data breaches if that vendor has stored PII or PHI of your employees or customers
Insider threat when contractor employees are left with access to data and systems
Third-party cyber risk is growing exponentially. Prevalent provides an easy-to-use platform that enables you to automate vendor risk assessment questionnaires, assign risk scores to vendors, monitor risk and changes over time, and manage and report on third-party risk. Using a dedicated TPRM platform can take the pain out of the vendor risk management lifecycle and enable your team to more efficiently focus on taking steps to reduce organizational risk. To see how Prevalent can help you, request a demo today.