Supply Chain Attack: Everything you need to know, but may not want to...
In October 2020, CSO Online published an article on supply chain attacks and the risks presented by third-party vendors, suppliers, and professional service partners. The article referenced the attacks at Equifax, Target, and the Panama Papers, and way back in October 2020, those were the big stories when discussing 3rd party/supply chain risk.
While CSO Online touched on the risks from software and hardware manufacturers, they centered more around smaller software development firms and opensource technology. Whether the writers at CSO Online aren’t as creative as the criminals, there was no mention of anything to the scale of what we saw with SolarWinds.
Where IT directors could literally be faced with “burning entire IT ecosystems to the ground”, here’s everything you should know (in about 500 words) about supply chain attacks in 2021:
- What is a “Supply Chain Attack”?
A supply chain or supply side (also called a value-chain or third-party attack) is when criminals infiltrate your systems by exploiting vulnerabilities of your third-party vendor or outside partner. Consider your lawyer, CPA or other partners who hold sensitive/private data - a SaaS product, your CRM, even your computer’s operating system or antivirus.
- The Real Scary Stuff (Boo!)
Third party software attacks have always concerned technologists and security experts. But the focus has been more on the risks presented by “less reputable developers”, shareware, or apps built on opensource code. Not anymore! Imagine the most integrated piece of technology you use: from your antivirus, to your Microsoft apps, to your web browser, or even networking equipment and hardware. Technology that you rely on, it has trusted access to every part of your company.
- Who Owns Third Party Risk?
At the end of the day, it’s your business that’s on the hook. Litigation’s an option, but the fine print on that end-user license agreement or contract likely limits the supplier’s liability. Businesses carrying cybersecurity insurance will certainly find themselves in a better post-attack position, and most policies should cover business loses stemming from a 3rd party attack. Obtaining coverage, however, is much more of a process than it was even a few years ago, as underwriters now require additional scrutiny of internal process, including monitoring, user training, documentation, and policy controls.
- What if You’re the 3rd Party Vendor or Professional Service Partner?
The other side of the blade comes when you are the 3rd party responsible for the breach. It’s one thing to have a breach; it’s another to be the cause of a client’s breach. Lawsuits and irreparable damage to relationships and reputations are inevitable.
- How to Protect Your Company.
Except Google, pretty much every business on the planet uses third-party software/hardware. Proactive security measures include: Limiting hardware and software that is used in your environment and auditing your vendors…all your vendor. Vetting and monitoring every device, every provider, and every downloaded application. It’s a big task, especially as organizations increase dependance on apps to improve collaboration or simplify remote access. This is where a comprehensive technology strategy is critical. Minimize inventory to cut down redundancies and decrease your threat surface.
The unfortunate truth is that it’s near impossible to completely isolate against a supply-side attack. But here’s the thing: other attacks are much more destructive for the small/midsize business community, and those hits are largely preventable!
As we like to focus on what we can control, and we’re here to educate and help business leaders make the best decisions possible, we recommend every business work with a trusted IT advisor who can provide a comprehensive security strategy to protect your business and help you sleep at night.
More from the author
A Business Case for Next Gen Cloud
What will it take for your business to make the jump to Cloud? For this exceedingly traditional Los Angeles-based law firm it was a global pandemic and state lockdowns that almost brought the business to a stand-still.
OWG Assembles Rock-Star Movember Team!
Since 2002, The Movember Foundation has funded over 1,250 projects around the world. An annual fundraising campaign which encourages participants to grow a moustache (or do something else!) to support men’s health issues, we’re excited to participate and appreciate your interest and support!
You've been hit. Now what?
As cyberattacks on midsize firms continue to prove inevitable, are you ready to be hit? A strong defensive posture minimizes exposure, limits collateral damage and protects client privacy.
A Business Case for Zero Trust Cybersecurity
The medical community has always been at the front of the line when it came to technology integration. Now, as attacks on the healthcare industry explode, executive leadership, board members, doctors and practice administrators wonder what they can do differently. The answer - trust no one, ever! Here's how...
Next Gen Cloud for Midsize Accounting
Accounting firms are relatively conservative when considering a move to the Cloud. But with a hybrid workforce now a necessity, here’s how we helped one firm make the jump.
It’s Cyber Awareness Month… So What!?
We believe cybersecurity (and business technology overall) are factors of an organization’s culture. As such, we recognize the importance of building awareness through communications, events and month-long campaigns that serve to remind, educate, and inspire us to take action.