What Getting Serious About Third-Party Risk Really Means

The pace of data breaches and intrusions into computer systems is accelerating at an alarming rate. We are seeing unprecedented advancements in the sophistication of attackers. At the same time, the latest and greatest advances in technology have created greater efficiency and effectiveness for organizations and their supply chains.

However, supply chain vendors are equally vulnerable to advanced attacks. The increasing level of access and integration within host organization environments can present risks and potential new avenues of compromise. Therefore, to manage these risks, host organizations must adapt their security procedures to include vendors, partners and even customers. In addition, to secure the supply chain as much as possible, they must closely evaluate their own people, processes and technology.

How Supply Chain Breaches Happen

There are many ways that a supply chain breach could occur. A software manufacturer could be breached via malware that modifies source code, which is then distributed to enterprises that use the software. This exact scenario played out with SolarWinds in 2020-2021.

Another common compromise vector might be the theft of a vendor’s credentials that grant remote access to an enterprise they partner with or provide support to, which then leads to infiltration of the enterprise network from an already trusted source (the vendor network). Over and over again, we’ve seen trusted access come back to bite us, whether from vendors, partners, or other third parties that organizations work with on a regular basis.

It’s time we do a better job at securing our networks and assets from organizations that, while trusted to some extent, may still represent a significant risk to our organizations just by virtue of being connected or providing software or services to us. But how?

A Two-Step Solution

1. Vendor Risk Management

First, we need more effective risk management for vendors and service providers that we employ in our environments or that we use to provision business services (such as cloud providers, for example). Defining critical vendors and service providers (as well as partners) is a starting point, and then we need to carefully evaluate what types of assets and data third-party organizations and solutions will be interacting with.

2. Network Segmentation

Second, we need to do a better job of segmenting networks and connectivity points for any associated third parties to better prevent attacker ingress and lateral movement. Some remote access scenarios for “trusted” associates allow almost total access to systems once connections have been properly authenticated. All third parties should be granted access only to assets that they need, following a classic “need to know” philosophy. Network segments (VLANs or subnets) should be set up based on data types and access models, with proper controls like firewalls and intrusion detection to control all the traffic into and out of the environment.