Portfolio + Store - Managing Third-Party Cyber Risks Across The Extended Supply Chain

Managing Third-Party Cyber Risks Across The Extended Supply Chain

08/04/2023 :: Jeremy Pickett :: Become a Patron :: Buy Me a Coffee (small tip) :: @jeremy_pickett :: Discussion (FB)

TLDR: The essay discusses the escalating cybersecurity risks that arise from an organization's interactions with third parties such as contractors, managed service providers, and SaaS applications. Historically, companies have focused on fortifying their proprietary infrastructures but, as shown through examples like the 2014 JPMorgan Chase breach and the SolarWinds hack, vulnerabilities in third-party services can lead to significant cyber incidents.

The essay also highlights the widespread lack of oversight of vendor security, with over half of organizations reportedly admitting to insufficient supervision. However, in response to the growing threat, businesses are beginning to implement Cyber Supply Chain Risk Management (CSCRM) strategies, such as comprehensive assessments and robust governance of security protocols across all external partners. Apple is mentioned as a leading example of proactive third-party risk management.

Finally, the essay underscores the importance of extending supply chain risk management (SCRM) beyond immediate partners, demonstrating the potential for disaster with examples like the Target and Uber breaches. A truly resilient defense requires rigorous security measures across the full downstream supply chain. The essay concludes with the recommendation that organizations establish stringent security requirements for all suppliers, conduct regular security audits, and have robust incident response plans in place.

Introduction

e concept of fortifying enterprise perimeters has been a significant focus for CISOs in recent years. However, as their understanding of the intricate web of cybersecurity expands, it has become increasingly apparent that the potential surfaces for cyber risk reach far beyond the confines of an organization's proprietary infrastructure.

In today's digital world, an array of third parties - contractors, managed service providers, SaaS applications, and more - play integral roles in day-to-day operations. These entities can greatly amplify risk due to the intertwined nature of their security dependencies. Consider a financial firm that uses a third-party payment processing service, for instance. Any security vulnerability in that service could potentially expose the sensitive financial information of the firm's clients.

These vulnerabilities are not just theoretical; they have manifested in real-world scenarios with alarming frequency. Consider the 2014 cyber breach at JPMorgan Chase. The breach, which affected 76 million households and 7 million small businesses, originated from a compromised server owned by a third-party website, proving that a breach in one part of the ecosystem could lead to disastrous consequences elsewhere.

Another disturbing trend is the lack of oversight many organizations exhibit concerning their vendors. A 2022 Ponemon Institute report revealed that over half of organizations confessed their supervision of vendors was barely adequate. This lack of attention to third-party risk has become increasingly untenable as the number of cyber breaches via supply chain channels continues to rise.

The SolarWinds breach, one of the most significant cyber espionage incidents to date, served as a stark reminder of this vulnerability. In that event, attackers infiltrated the systems of thousands of SolarWinds customers by compromising an update to the company's Orion software, which was then distributed via the standard supply chain channels. The incident was a wakeup call to organizations worldwide about the potential perils of ignoring their supply chain's security.

In response to these disconcerting trends, businesses are starting to implement robust Cyber Supply Chain Risk Management (CSCRM) strategies. These strategies strive to provide a comprehensive framework for managing cybersecurity risks across all external partners, from direct vendors to partners further down the supply chain. Companies like Apple, which reportedly maintains strict security audits of its suppliers, serve as a model in this regard. Their proactive approach to third-party risk is becoming a must-have, not just a nice-to-have, in today's business environment.

CSCRM Governance

CThe primary objective of Cyber Supply Chain Risk Management (SCRM) is to secure an organization's expansive ecosystem by conducting comprehensive assessments and establishing robust governance of security protocols across all external partners. However, SCRM must extend beyond immediate tier 1 relationships - the partners with which an organization interacts directly. To build a truly resilient defense, organizations must delve deeper, applying rigorous security measures across the full downstream supply chain, from tier 2 suppliers and beyond.

To illustrate, imagine an automotive company that not only works directly with parts suppliers (tier 1) but also indirectly with the suppliers of raw materials to those parts manufacturers (tier 2), the transportation companies that move these materials and parts (tier 3), and so forth. Each link in the chain presents a potential point of vulnerability that could be exploited, with potentially disastrous consequences.

Recent history provides stark examples of the magnitude of supply chain dangers. In 2013, the retail giant Target suffered a massive breach that led to the theft of data of over 40 million customers. The origin of this breach? A phishing attack on a smaller company, Fazio Mechanical Services, a refrigeration contractor. Hackers were able to compromise the contractor's account and gain a backdoor entry into Target’s payment systems. The incident underlines how cybercriminals can exploit weaker links in the supply chain to infiltrate larger, otherwise secure, organizations.

Then there's the notorious 2016 Uber incident. A data breach exposed personal data of 57 million Uber users and 600,000 drivers. This breach was facilitated by server access granted to a third-party cloud service provider. In a misguided attempt to minimize fallout, Uber concealed the breach for over a year, leading to serious reputational damage and regulatory repercussions. The incident underscores the risk of providing third-party vendors with unchecked access to critical systems and the importance of transparency in handling such breaches.

More recently, the SolarWinds hack emerged as one of the most sophisticated cyber espionage campaigns to date. Here, hackers infiltrated the IT systems management software Orion by adding malicious code to its updates. Once the corrupted updates were distributed and installed across SolarWinds' customer base, the attackers had access to the systems of thousands of organizations, including multiple U.S. government agencies and Fortune 500 companies. This incident illustrates the dangers lurking in software supply chains and the devastating cascading effects of a single compromised element.

These instances, and others, emphasize the importance of comprehensive SCRM. As part of this, organizations need to establish stringent security requirements for all suppliers, regularly conduct security audits, and ensure all software updates are rigorously checked before deployment. Businesses must also have incident response plans ready in the event of a breach, including clear communication strategies to maintain trust with customers and stakeholders.

In essence, SCRM is not just about protecting an organization's own systems but requires a broader view. By understanding the risks in their supply chain, organizations can better mitigate them, reducing the chances of a successful cyber attack and ensuring their business's long-term resilience.

Privileged Access Control

The cases mentioned, along with others, exemplify the unfortunate consequence of neglecting supply chain security. When organizations do not diligently enforce privileged access controls and effectively audit vendor risk management programs, they inadvertently leave their systems exposed to potential breaches. Privileged access controls are integral as they limit access to vital systems and data to only those individuals who require it for their role. When these controls are not adequately managed, it opens up a possible route for bad actors to gain unauthorized access.

Moreover, the inadequacy of auditing vendor risk management programs can mean that vendors, who may have less stringent security protocols, become the weak link in the security chain. For instance, in the case of the Target breach, hackers were able to gain access to Target's systems via an HVAC contractor who had not implemented stringent security measures. This underlines the importance of thorough auditing and insistence on robust security measures for all vendors.

In the realm of supply chain security assessments, many organizations resort to quick audits and questionnaires that are designed to map controls to standard frameworks like Service Organization Control 2 (SOC2). This framework offers guidelines for managing customer data based on five "trust service principles"—security, availability, processing integrity, confidentiality, and privacy.

While it is a necessary part of maintaining security, merely adhering to SOC2 or other similar standards is not sufficient. These compliance checklists, although helpful, often overlook the application of security practices in real operational contexts. They do not consider how employees interact with controls on a day-to-day basis or how procedures function under unusual circumstances, which can lead to an incomplete picture of an organization's actual security posture.

Furthermore, such compliance-focused assessments often focus on immediate tier 1 partners, those vendors with whom a company directly interacts. While ensuring the security of these partnerships is crucial, it is equally important not to disregard the potential risks presented by tier 2 and further downstream partners. These are the vendors with whom a company's direct suppliers work, and they can present hidden vulnerabilities.

For example, a SaaS provider (a tier 1 vendor) might subcontract some of its storage needs to a cloud service provider (a tier 2 vendor). If the cloud service provider suffers a data breach, it could affect all the clients of the SaaS provider, even if those clients have no direct relationship with the cloud service provider. Therefore, an organization's security assessment should extend beyond the immediate circle of tier 1 partners to include a comprehensive evaluation of risks throughout the full supply chain.

CSCRM and Audit

Progressive Cyber Supply Chain Risk Management (CSCRM) programs are adopting a more holistic approach, moving past the typical checkbox audits and implementing in-depth evaluations of vendor security measures. This comprehensive examination includes conducting technical testing like red team attacks. This technique emulates real-world cyber-attacks to stress test and validate the effectiveness of a vendor's defenses. By testing in this way, organizations can verify the strength of their suppliers' security measures under realistic conditions, helping identify potential weaknesses before they are exploited by actual threat actors.

Alongside these live tests, CSCRM programs should also subject partner SOC2s and ISO 27001 audits to meticulous scrutiny. These frameworks are internationally recognized standards for managing information security and can be informative. However, without careful review, they can also give a false sense of security. An in-depth analysis allows organizations to fully understand each partner's security measures, commitment to maintaining those measures, and their overall security posture.

Executive interviews add another dimension to these reviews. Conversations with a company's leadership can provide a qualitative understanding of the company's culture and commitment to cyber risk mitigation. If the executive team clearly prioritizes security, it's more likely that this mindset will filter down through the organization, influencing behavior at all levels.

Moreover, comprehensive CSCRM should expand the purview of reviews beyond tier 1 suppliers. It should aim to gain an understanding of the entire downstream supply chain. One approach to achieving this is to require partners to contractually disclose any subvendors that have access to data. This will help to reveal otherwise unseen risks, such as fourth parties that host cloud data or managed service providers that use subcontractors with potentially lax security measures.

Central documentation and tracking of third-party risk assessments are critical for maintaining an effective CSCRM program. Distributed spreadsheets and decentralized systems can create gaps and inconsistencies, making it hard to get a complete view of risk. Purpose-built vendor risk platforms, like CyberGRX, address this issue. These platforms serve as authoritative repositories of partner risk data across the supply chain, providing constant visibility and compliance monitoring tools. They form the backbone of modern CSCRM programs.

Key functionalities of such platforms include dynamic questionnaires, which adjust according to the responses given, providing a more tailored risk assessment. They also feature risk matrices calibrated to various impact levels, which can help prioritize the mitigation of risks that could have the most significant consequences. Integrated automated processing of partner assessment data allows for scalable oversight and real-time monitoring of risk, helping to keep pace with the ever-changing threat landscape.

Such platforms enable buyer teams to easily review risks across their suppliers based on established security benchmarks. By centralizing all this information, organizations can rapidly identify areas of concern and take timely action. Ultimately, the objective is not just to spot and mitigate risks, but also to cultivate a culture of security within the entire supply chain. This comprehensive and dynamic approach is at the heart of leading CSCRM programs.

Conclusion

An all-encompassing Cyber Supply Chain Risk Management (CSCRM) program carries a dual advantage. On one hand, it assures an enterprise of secure operations, shielding it from potential cyber threats. On the other hand, it upholds a moral responsibility to manage supply chain threats that could potentially expose customers, the most vital stakeholders, to undue harm. This dual focus underscores the essence of CSCRM: to safeguard both internal operations and external relations.

Drawing a parallel with the manufacturing industry, just as manufacturers take measures to protect end consumers from defective parts, organizations are expected to secure their entire digital ecosystem. This involves everyone and everything that interacts with their data and systems - contractors, managed service providers, SaaS apps, and subvendors. This protective umbrella extends far beyond the organization's immediate environment, aiming to secure all touchpoints in the digital supply chain.

Leading CSCRM programs and sophisticated third-party risk management practices uphold this expected standard of care in the digital economy. These programs scrutinize the interconnected landscape of data exchanges, ensuring each entity handling the organization's data meets stringent security standards. While this task can be daunting, given the complex web of relationships and dependencies, it's a necessary undertaking in today's interconnected world.

Promoting security across the modern supply chain isn't just a strategic business move - it's an operational imperative and moral obligation for conscientious CISOs. It represents their commitment to safeguarding not only their organization's assets but also the interests of all stakeholders in their digital ecosystem. A rigorous CSCRM program speaks volumes about a CISO's dedication to maintaining secure environments, marking them as champions of cybersecurity in their sector.

By thoroughly mitigating risk across the supply chain, these leaders not only protect their organizations from financial and reputational damage but also contribute to a safer, more secure digital economy. This commitment to rigorous risk management sets the bar for cybersecurity and reaffirms the need for security diligence in every part of the digital supply chain. As we continue to witness the increasing sophistication of cyber threats, such comprehensive and proactive approaches to supply chain security are not just desirable, they are indispensable.

References

Compliance Week. (n.d.). Recent data breaches impart third-party risk lessons. Retrieved August 3, 2023, from https://www.complianceweek.com/recent-data-breaches-impart-third-party-risk-lessons/2499.article

Cyber Rescue. (n.d.). Response to Attacks - Public Reports. Retrieved August 3, 2023, from https://www.cyberrescue.co.uk/library/response

ResearchGate. (n.d.). The Impact of Cyber Attacks On Brand Image. Retrieved August 3, 2023, from https://www.researchgate.net/publication/314297397_The_Impact_of_Cyber_Attacks_On_Brand_Image_Why_Proactive_Marketing_Expertise_Is_Needed_for_Managing_Data_Breaches

The New York Times. (2014, October 2). JPMorgan Chase Hacking Affects 76 Million Households. Retrieved August 3, 2023, from https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/

Cybersecurity and Infrastructure Security Agency. (2020). Cost of a Cyber Incident: Systematic Review and Cross-. Retrieved August 3, 2023, from https://www.cisa.gov/sites/default/files/publications/CISA-OCE_Cost_of_Cyber_Incidents_Study-FINAL_508.pdf

Massachusetts Attorney General. (n.d.). Important Information: We want you to know about an incident. Retrieved August 3, 2023, from https://www.mass.gov/doc/assigned-data-breach-number-25767-jpmorgan-chase-bank-na/download

References and Citations by Perplexity.ai

#CybersecurityRisk #ThirdPartyRisk #SupplyChainSecurity #CyberSupplyChainRiskManagement #SCRM #VendorRiskManagement #PrivilegedAccessControl #Compliance #SOC2 #JPMorganChase #SolarWinds #Target #Uber #CyberBreaches #CyberEspionage #CyberThreats #CyberSecurityAwareness #CyberSecurityStrategy #CyberSecurityFramework #CyberSecurityManagement #CyberSecuritySolutions #CyberSecurityRiskAssessment #CyberSecurityAudits #CyberSecurityIncidentResponse #CyberSecurityPosture

Page updated

Google Sites

Report abuse