Supply Chain Attack: Everything you need to know, but may not want to...

Supply Chain Attack: Everything you need to know, but may not want to...

In October 2020, CSO Online published an article on supply chain attacks and the risks presented by third-party vendors, suppliers, and professional service partners. The article referenced the attacks at Equifax, Target, and the Panama Papers, and way back in October 2020, those were the big stories when discussing 3rd party/supply chain risk.

While CSO Online touched on the risks from software and hardware manufacturers, they centered more around smaller software development firms and opensource technology. Whether the writers at CSO Online aren’t as creative as the criminals, there was no mention of anything to the scale of what we saw with SolarWinds.

Where IT directors could literally be faced with “burning entire IT ecosystems to the ground”, here’s everything you should know (in about 500 words) about supply chain attacks in 2021:

  • What is a “Supply Chain Attack”?

A supply chain or supply side (also called a value-chain or third-party attack) is when criminals infiltrate your systems by exploiting vulnerabilities of your third-party vendor or outside partner. Consider your lawyer, CPA or other partners who hold sensitive/private data - a SaaS product, your CRM, even your computer’s operating system or antivirus.

  • The Real Scary Stuff (Boo!)

Third party software attacks have always concerned technologists and security experts. But the focus has been more on the risks presented by “less reputable developers”, shareware, or apps built on opensource code. Not anymore! Imagine the most integrated piece of technology you use: from your antivirus, to your Microsoft apps, to your web browser, or even networking equipment and hardware. Technology that you rely on, it has trusted access to every part of your company.

  • Who Owns Third Party Risk?

At the end of the day, it’s your business that’s on the hook. Litigation’s an option, but the fine print on that end-user license agreement or contract likely limits the supplier’s liability. Businesses carrying cybersecurity insurance will certainly find themselves in a better post-attack position, and most policies should cover business loses stemming from a 3rd party attack. Obtaining coverage, however, is much more of a process than it was even a few years ago, as underwriters now require additional scrutiny of internal process, including monitoring, user training, documentation, and policy controls.  

  • What if You’re the 3rd Party Vendor or Professional Service Partner?

The other side of the blade comes when you are the 3rd party responsible for the breach. It’s one thing to have a breach; it’s another to be the cause of a client’s breach. Lawsuits and irreparable damage to relationships and reputations are inevitable.

  • How to Protect Your Company.

Except Google, pretty much every business on the planet uses third-party software/hardware. Proactive security measures include: Limiting hardware and software that is used in your environment and auditing your vendors…all your vendor. Vetting and monitoring every device, every provider, and every downloaded application. It’s a big task, especially as organizations increase dependance on apps to improve collaboration or simplify remote access. This is where a comprehensive technology strategy is critical. Minimize inventory to cut down redundancies and decrease your threat surface.

The unfortunate truth is that it’s near impossible to completely isolate against a supply-side attack. But here’s the thing: other attacks are much more destructive for the small/midsize business community, and those hits are largely preventable!

As we like to focus on what we can control, and we’re here to educate and help business leaders make the best decisions possible, we recommend every business work with a trusted IT advisor who can provide a comprehensive security strategy to protect your business and help you sleep at night.