Security Experts:

Why You Need Visibility of Your Supply Chain Cyber Risks

When it comes to cybersecurity, the common tact is to build out your network defenses and then extend to endpoints. But as business becomes more connected and as data moves further outside the organizational walls, enterprises must look at weaknesses across each area that depends on technology – and a good place to focus is on the supply chain.

Think about how many partners, suppliers and customers have access to different areas of your business. According to the 2016 Vendor Vulnerability survey from Bomgar, an average of 89 third-party vendors access a typical company’s network each week, and 75% of the surveyed organizations said the number of third parties they work with has increased over the last two years. Additionally more and more companies are outsourcing critical business infrastructure to third parties that provide numerous “As-A-Service” capabilities. This in turn creates or magnifies an additional business resilience risk that is largely unchecked.

Each of these touch points creates another area of possible exploitation. But the risk posed by the growing number of third parties is often not adequately addressed. In fact, PwC’s 2015 U.S. State of Cybercrime Survey found only 16% of respondents evaluate third parties’ cybersecurity more than once a year – and nearly a quarter do not evaluate third parties at all. Ever.

Lack of visibility around your supply chain cyber risks can translate into real-world attacks that disrupt business operations and lead to stolen data, lost customers, costly remediation and long-term brand damage. Then there are the potential consequences of any regulatory and legal actions that may follow. Your cyber defense is only as strong as its weakest link in the security chain.

Last week, I wrote a blog post about a web hosting provider that was compromised by AlphaLeon, a cybercriminal group that has a history of stealing banking information, bitcoins, and gaming credentials, delivering ransomware, sending spam and gaining access to and distributing web cam images and videos of individuals. The web-hosting provider, Invision Power Services, serves as the user web forum for some big brands including professional sports leagues as well as major media and entertainment companies.

These companies entrusted their web hosting provider to perform a service based on the agreed upon contractual terms. Even if the impacted companies are not at fault, they still have their own customers and their brand and reputation to protect.

Put yourself in the shoes of the end user. You visit one of these popular sites and in turn get your machine infected with a trojan which then steals your sensitive banking credentials or turns on your web cam without your knowledge and takes images and/or videos of you. Who’s to blame? Who ultimately takes the brand hit?

If you are going to outsource a service that has cyber risk tied to it, you are outsourcing a portion of your brand and reputation - and you want to keep tabs on it.

The lack of supply chain cybersecurity poses a major problem – and a potential risk blind spot – for enterprise organizations. Sixty-nine percent of companies that participated in the 2016 Vendor Vulnerability survey said they “definitely/possibly suffered a security breach resulting from vendor access within the last year”. These cyber events impact nearly every industry group.

Third Party Breaches Over the Last 12 Months By Industry

As you outsource capabilities to other vendors, your cyber risk exposure expands. With more connectivity points into the enterprise, the supply chain is a ripe target for cybercriminals. To close supply chain backdoors into your business, you must go beyond your traditional network and endpoint security approaches to:

• Gain visibility of and understand outside-in risks posed by your supply chain

• Establish your own “private ISAC” and share intelligence with your suppliers 

• Collaborate with your business partners on adversary activity 

• Cast a wide Intelligence collection net to include your third-party vendors

Supply chains are growing more complex, and more data is flowing outside of organizations’ walls than ever before. Gaining awareness of supply chain risks and addressing them in the context of broader risk management programs – and then continuously monitoring those problem areas – will put organizations in a much better position when it comes to managing their cyber risk.

view counter
Adam Meyer is Chief Security Strategist at SurfWatch Labs. He has served in leadership positions in the defense, technology, and critical infrastructure sectors for more than 15 years. Prior to joining SurfWatch Labs, he was CISO for the Washington Metropolitan Area Transit Authority. He formerly served as the Director of Information Assurance and Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command one of the Navy's premier engineering and acquisition commands. Mr. Meyer holds undergraduate and graduate degrees from American Military University and Capitol College.