A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. This has dramatically changes the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.
The risks associated with a supply chain attack have never been higher, due to new types of attacks, growing public awareness of the threats, and increased oversight from regulators. Meanwhile, attackers have more resources and tools at their disposal than ever before, creating a perfect storm.
Examples and scope of supply chain attacks
There's no end to major cyber breaches that were caused by suppliers. The 2014 Target breach was caused by lax security at an HVAC vendor. This year, Equifax blamed its giant breach to a flaw in outside software it was using. It then blamed a malicious download link on its website to yet another vendor.
Then there were the Paradise Papers, over 13 million files detailing offshore tax avoidance by major corporations, politicians, and celebrities. The source? Like last year's Panama Papers, it was a law firm that was the weakest link.
These aren't isolated cases. According to a survey conducted this fall by the Ponemon Institute, 56% of organizations have had a breach that was caused by one of their vendors. Meanwhile, the average number of third parties with access to sensitive information at each organization has increased from 378 to 471. That number might be a little low. Only 35% of companies had a list of all the third parties they were sharing sensitive information with.
Only 18% of companies said they knew if those vendors were, in turn, sharing that information with other suppliers. That's a problem, because customers don't care if it was the company's supplier that lost the data, not the company itself.
The problem gets worse when you consider that the risks don't end when the supplier relationship is terminated. This fall, Domino's Australia had a security breach and revealed that a former supplier's system had leaked customer names and email addresses. "Most contracts I review don’t include adequate details for managing the tricky process of vendor termination," said Brad Keller, senior director of third party strategy at Prevalent.
Plus, regulators are increasingly looking at third-party risks. Last year, New York State financial regulators began requiring financial firms with a presence in New York to ensure that their suppliers' cyber security protections were up to par.
Next year, Europe will do the same, with its General Data Protection Regulation (GDPR), that applies to all companies that collect personal information from Europeans. GDPR fines are steep — up to 4% of total global revenues.
Third-party risk regulations are still in their early stages, and many companies don't have a good handle on these risks, said Peter Galvin, VP of strategy and marketing at Thales e-Security.
"Financial firms are used to these, and are much more prepared," he added. "But many companies don't understand the risks, and you're going to see an increase in breaches, and you're going to see more legal action."
Experts expect that more regulators will start requiring companies to do more about third-party risk than they do today. "It's been a continued trend that we've seen," said Eric Dieterich, data privacy practice leader at Focal Point Data Risk, LLC.
Risks hiding in the hardware and software supply chain
Almost every company uses outside software and hardware. Nobody builds all their technology from scratch anymore. Each purchased device, each downloaded application needs to be vetted, and needs to be monitored for potential security risks, and all patches have to be up to date.
Not only is a company's own data at risk, but if the flawed software or hardware component is embedded into a product it may cause more security problems down the line. A computer chip infected with a security backdoor, a camera without strong authentication or a bad software component can do widespread damage. The Heartbleed bug, for example, affected millions of websites and mobile devices as well as software by many major vendors including Oracle, VMware and Cisco.
"We worry about manipulation, we worry about espionage, both nation state and industrial level, and we worry about disruption," said Edna Conway, chief security officer for the global value chain at Cisco Systems. For example, hardware or software products may have been deliberately tampered with somewhere up the supply chain or replaced with counterfeits.
Cisco is also worried about losing confidential information or sensitive intellectual property (IP) due to a third-party breach, Conway said. "We are committed to delivering solutions that operate in the way that they are intended to operate," she said. "If your customers are not satisfied, if your reputation is damaged, it impacts the bottom line. That trust element is absolutely essential, and reputation is the business venue where trust manifests itself."
Many companies have quality standards in place that suppliers must meet. Cisco is using the same approach for security. "The method I’ve been deploying allows us to establish tolerance levels to the members of the third-party ecosystem's adherence to our values and goals, customized for the unique nature of products and service that the third party provides to us," said Conway.
"Once you have tolerance levels, you can start measuring if are you are at, above or below tolerance levels. If they’re out of tolerance, we sit down together, and say, 'How can we work together to address that?'"
Cloud provider security risks
The single, streamlined organization has been replaced by a digital ecosystem where everything from individual applications to entire data centers has moved to cloud providers. "What you have to protect is so far outside your environment," said Fred Kneip, CEO at CyberGRX. "And hackers are smart. They go for the path of least resistance."
Even hardware now comes cloud-enabled, Kneip said. "The default setting for an IoT welding tool for an automotive line is to send diagnostics to the manufacturer so they can do predictive maintenance," he said. "That sounds awesome, but that can also be a channel back into your whole environment."
Professional services firms may be even less secure
"Security is really only as good as the weakest link," said John Titmus, director of sales engineering EMEA at CrowdStrike, a security vendor. "Supply chain attacks are getting more widespread and growing in frequency and sophistication. You need to understand the nature of the risks and develop a security roadmap around it."
This summer, Deep Root Analytics, a marketing firm used by the Republican National Committee, leaked the personal data of 200 million voters. This is a small company, that, according to its LinkedIn profile, has fewer than 50 employees. Deep Root Analytics accidentally put the data on a publicly accessible server.
Larger service companies are also vulnerable. The Verizon breach, which involved six million customer records, was caused by Nice Systems, a provider of customer service analytics. Nice put six months of customer service call logs, which included account and personal information, on a public Amazon S3 storage server.
Nice reports that it has 3,500 employees and provides services to more than 85% of Fortune 100 customers. Nice is tiny compared to Deloitte, an accounting firm with more than a quarter million employees. In September, Deloitte admitted that hackers were able to access emails and confidential plans of some of its blue-chip clients. According to reports, the attackers gained access due to weak access controls on an administrator account.
"We wouldn't be surprised if we saw more supply-side organizations being hit by attackers to reach their final goal," said Kurt Baumgartner, principal security researcher at Kaspersky Lab.
How to manage third-party risk: First steps
Proper oversight of third-party cyber security risk pays dividends beyond just the compliance benefits. it actually reduces the likelihood of a breach, according to the Ponemon report. "You can reduce the incident of a breach by 20 percentage points," said Dov Goldman, VP for innovation and alliances at Opus Global., the company that sponsored the study.
Specifically, if a company evaluates the security and privacy policies of all its suppliers, the likelihood of a breach falls from 66% to 46%. That does include all suppliers, Goldman added.
"The big relationships might not be the biggest risk," Goldman said. The biggest suppliers are likely to have elaborate cyber security defenses already in place. "But if you look at smaller organizations, they don't have that same level of cyber security control," he said.
Once a company understands who all the vendors are, and which of them have access to sensitive data, a variety of tools are available to help assess the level of their security. For example, some companies are including security in the service level agreements with their suppliers, said Tim Prendergast, CEO at Evident.io, a cloud security company.
"We're seeing a movement toward requiring an agreement from the provider showing their commitment to security," he said. "They ask those providers to enforce similar controls on their partners. We're seeing a legal cascade of these contracts."
Vendors may be asked to do self-assessments, allow customer visits and audits, or purchase cyber insurance. Sometimes, a more thorough assessment is necessary. "We've seen a lot of companies perform audits on their service providers," said Ryan Spanier, director of research at Kudelski Security. "One large financial institution that we work with requires audits and gets to come onsite and run their own penetration tests and see where the data is and how its protected."
Smaller customers however, may not have that kind of clout. "They just require evidence of third-party audits, see the results and get to review them," he said. "Then they mandate that some of the things get fixed before they'll continue to do business with the company. You can also limit yourself to companies you know are doing a good job with security, which is tough, because there aren't many of them right now."
In addition, there are organizations that provide security scores. For example, BitSight Technologies and SecurityScorecard look at vendors from the outside, rating companies on how secure their networks are to attacks.
For deeper assessments, looking at vendors' internal policies and processes, Deloitte and CyberGRX have teamed up to do the reviews as well as ongoing assessments, saving vendors from responding to each of their customers individually. “Companies today need to approach third-party cyber risk as a business risk that needs to be continuously managed," said Jim Routh, CSO of Aetna. "The CyberGRX Exchange enables all companies to take this approach."
A couple of financial industry groups are doing something similar. In November, American Express, Bank of America, JPMorgan and Wells Fargo teamed up to create a vendor assessment service called TruSight. In June, Barclays, Goldman Sachs, HSBC and Morgan Stanley announced that they were taking an equity stake in the Know Your Third Party risk management solution from IHS Markit.
These days, third-party risk management requires a new approach, said Routh. "One that enables companies to understand where risks lie within their digital ecosystem, tailor their controls according to those risks, and collaborate with their third parties to remediate and mitigate those risks."