Supply Chain Cyberattacks – Keeping your clients secure
The world is a giant supply chain in action.
For example, the smartphone in your pocket may have been designed in California, but likely procures parts from 43 different countries and is sold across the world. Nearly every asset, tool, or device you possess involves components of a complex supply chain.
Your business is also likely part of a greater supply chain and being cyber secure requires each link in that chain do its part. Many of the large cyberattacks in the news are often the result of a supply chain vendor with lax cyber defenses being exploited so that hackers can hit their clients.
Trust is the binding factor
As cyberattacks are becoming more sophisticated, companies are being forced to rethink their sense of trust between vendor and client. Up until now, most companies never had to consider the cybersecurity postures of the companies within supply chain. Now, ignoring the cybersecurity practices of companies you work with is a liability. Any third party that has weak security practices in place increases the attack surface and number of potential entry points to initiate a cyberattack.
It is not that the businesses within the supply chain are bad actors or engaging in these attacks by themselves knowingly. The reality is simply that attackers always look for the path of least resistance and will exploit weak systems to maximize their profit.
The Weakest Link
Cybercriminals are getting innovative. Going beyond the regular phishing links or websites, hackers are increasingly finding that ransomware is an easy and effective way to extort money from legitimate businesses. Now, more sophisticated hackers are offering Ransomware-as-a-Service (RaaS) to petty criminals so that even those without any technical ability can bring a business to its knees.
To execute these attacks, most attackers look for the weakest links in a supply chain – such as the small vendors with less than part cybersecurity practices or sloppy security measures. Since transmissions from the vendor to the client are usually viewed as secure, hackers will then infiltrate the vendors system and transmit the ransomware or malware to their primary target.
All these make the cybersecurity attack difficult to detect with existing cybersecurity defenses or audit trails.
Risk-Mitigation through Assessment – SCRM
Alliant Cybersecurity team follows the MITRE ATTC&K standards. Supply Chain Risk Management assessment in MITRE will help in assessing the systems, components, software, organizational processes, and workforce issues for vulnerabilities or weaknesses that may be exploited by the attackers.
As per the MITRE guidelines, Alliant cybersecurity’s advisors understand your place in the supply chain completely before we begin our assessment.
A few critical decisions that the Alliant team will help you make include or will guide you through are:
- Understand the criticality of the system as a whole and parts.
- Assess the supply chain threat(s)
- Take an informed decision – build versus buy.
- Determine the best SCRM practices and determine sufficiency.
- Make sure your Risk Management Plan is in line with the government efforts in this direction.
- Understand and prepare an action plan to face the consequences in case of a breach.
Supply Chain Cybersecurity Best Practices
Here are a few steps Alliant can help you take to mitigate the Supply chain risks for you and your clients.
- Get a clear picture of the entire threat landscape
Map the entire supply chain with your team and include every small detail. Understand where each piece of your product comes from, and if possible, understand their suppliers too.
- Follow and insist on following the standards, policies, and governance
Make sure you and your vendors follow all the industry’s best practices and are certified accordingly. These may include HIPPA compliance, OWASP standards, NIST, MITRE ATTC&K et, al. It is better to conduct proper security audits for all the existing and new vendors.
- Move towards zero trust implementation
Make all the access and data available only on demand. Zero trust calls organizations not to automatically trust anything, not just the outside but even inside its boundaries. Organizations instead must verify and then grant access to anything and everything that is trying to be part of the network or connect to the existing systems.
- Implement proper information access management practices
The more vendors or people have access to unwanted data the higher the risk. Since the third-party vendors are often targeted by hackers assuming they have practices that larger enterprises.
- Choose to secure by code & cover the risk at coders/developers
Protect all endpoints and make sure all the code used in the products is tested well. Try encouraging the software that develops secure by design and coding rather than the security layer added. Also, encourage all your vendors to share security patches periodically.
Make yourself cybersecure so you can protect your clients. Call us now to comply with MITRE standards.