Many organizations downplay the critical aspect of whether their cybersecurity provider has the ability to properly vet a third-party vendor's cybersecurity posture.
There are multiple reasons behind this and there are also considerations of where the cybersecurity vetting process can go off the rails during supply chain purchases.
Generally speaking, as an industry we have the ingredients on hand to dramatically reduce the variety and scale of supply chain threat vectors, yet the reality is that supply chain security for most organizations is still pretty poor.
After giving this situation a great deal of thought, the issue is that supply chain security is considered far too late in the buying cycle to impact the buyer's final decision.
If you consider the psychology of a typical buying cycle, the further the vendor selection and engagement process progresses the less likely a customer is to heed evidence that their preferred vendor poses a risk to the organization.
Too many organizations still don't understand the importance of a secure supply chain in maintaining their own security and end up hiring a cybersecurity partner that doesn't properly prioritize supply chain security.
This lack of prioritization happens for many reasons, even when an organization realizes its security provider is leaving a gaping hole in defense. Cost is often a factor; lack of knowledge regarding the security threat inherent to leveraging supply chain vendors and being unwilling to rip out their current provider's security stack and replace it with another, is also an issue.
The danger behind this line of thought is quite apparent. A quick look at the number of cybersecurity incidents that started in an organization's supply chain should be enough to show that this approach is a recipe for disaster. Without going into detail on each, some of the biggest were the 2020 SolarWinds attack, MOVEit in 2023, and Okta also in 2023.
Trustwave SpiderLabs' recent threat intelligence reports also paint a dark picture regarding the threat posed by third parties. In three of its threat intelligence reports, third-party suppliers are listed as a top threat vector for these verticals: healthcare, hospitality and financial services.
The reports show that cybercriminals often target these third parties as a strategic maneuver. If they successfully breach a third-party vendor, they often gain access to the targeted company's data. It is also apparent that the end customers are impacted in a more opportunistic manner where an attacker simply targets the vendor in the hope they will then gain access to more ‘interesting’ organizations, without a prior specific target in mind.
Additionally, financial services and other organizations are subject to a wide range of regulations. If a third party fails to comply with these regulations, it could put the financial services or other organizations at risk of fines, penalties, or even criminal prosecution. A cybersecurity vendor conducting a proper vetting program can reveal all this information before it becomes problematic.
Unfortunately, even when an organization opts to give a nod to supply chain security, the method often used to choose a provider is to have it fill out a form and tick the boxes that indicate "we have security." This approach does not go nearly far enough. Simply put, there is no way to say if the supplier is telling the truth or if it even knows if its own supply chain is secure.
Instead, organizations should have a detailed and qualified conversation about risk versus benefit as opposed to simply telling themselves that removing a vendor with poor security will be hard and then letting the chips fall where they may.
The issue comes down to balancing the effort an organization is willing to put into keeping secure, versus not putting in place so much security that it negatively impacts the business.
As we have explained here, Trustwave understands that education and awareness are key inputs when it comes to prioritizing, buying, and using supply chain security.
Our process involves holding a thought-provoking conversation in which we can explain Trustwave's broad experience delivering supply chain security and perhaps educate the client on why their current security product is not working.
Trustwave has vetted thousands of vendors for organizations, and even organizations that have a great reputation as a business partner and would likely sail through a security assessment, are often the gateway threat actors use in a supply chain attack.
very organization needs visibility, even into second and third-tier vendors; without this level of understanding, you are leaving yourself open to attack.
Here are six general principles to keep in mind when contemplating how to secure your supply chain.
1. Know Your SuppliersStart with procurement and ask them for a list of a vendor’s suppliers, but you'll often have to scan IT suppliers in detail, as well as everything from financial providers to courier companies.
Working out which suppliers matter to your business and assessing the impact of any cyber incident they experience might have on you is the next step.
3. Ask the Correct Assessment Questions and Obtain Evidence
Questions should range from the supplier's ability to encrypt data, whether it uses MFA, the supplier's password policies, patching program management, architecture and segmentation, cloud usage, and many more. A best practice is to balance your assessment questions. Too few and you won't know what's actually going on too many and you'll be lucky to get a response from your suppliers.
The assessment is only as good as the tool or the human analysis behind it. We recommend you know which parameters impact a vendor's risk rating and how that vulnerability may impact your business.
These tools have their place, albeit the licensing cost is often considerable, particularly if you haven't done step 2 and you're scanning every vendor!
A threat detection service or capability will alert you to incidents and breaches in real-time. At a minimum, it will enable you to respond quickly when the worst happens, or at most, stop the threat before it reaches your critical systems.
Finally, if you're looking to improve resilience against supply chain risks, you can talk to us. Our Supply Chain Risk Diagnostic Service is ready to shorten the time needed to get your SCR management program up and running.
Alternatively, when revisiting your in-house cyber risk assessments, or looking for a more efficient third party to do this for your business, look here for a description of our Managed Vendor Risk Assessment Service.