Avoiding Cyberattacks through Vendors/3rd Parties
Target Corporation suffered a massive data breach during the 2013 holiday shopping season that exposed the personal information of up to 110 million customers. Hackers did not directly breach Target’s cyber defences. They first used a spear phishing attack to compromise a refrigeration contractor, and then used the contractor’s remote link to Target’s systems for electronic billing to enter Target’s network and eventually scrape data from the retailer’s point-of-sale systems .
The Target breach demonstrates the importance of cybersecuring the supply chain. Even though it was a contractor’s cybersecurity that was weak, the impact on Target was severe:
- Potential $3.6 billion liability
- Quarterly profit fell by almost 50%
- Share price dropped 11%
A chain is only as strong as its weakest link. Cybercriminals know this which is why they are increasing their attacks on smaller, low profile targets in the supply chain to find a way into larger organisations that make financially rewarding targets. A study by Ponemon Institute revealed that 59% of companies have suffered a data breach through a third party. It is clear that cybersecurity in the supply chain is a critical issue that requires more attention.
Supply Chain Cybersecurity – The Enterprise Checklist
Given the severe consequences of an attack that originates through a 3rd party, there are several steps that the modern enterprise must take to cybersecure their supply chain:
- Map the Supply Chain – Weak links cannot be strengthened without first ascertaining how long the chain is and how many links it has. The modern business paradigm is to focus on core activities and outsource non-core activities to 3rd While a sound business strategy, it may significantly increases the attack surface – the previously mentioned study by the Ponemon institute discovered that companies share sensitive information with 583 third parties on average. When mapping this supply chain, it is also important to identify whom the company’s vendors outsource to, as a vulnerability may arise in a 3rd party’s 3rd party
- Define 3rd Party Cybersecurity Requirements – When discussing vendor contracts, it helps if you have a clearly defined cybersecurity requirement that they need to meet to qualify as a supplier. This is particularly important for smaller vendors who will most probably not have a cybersecurity policy of their own. The cybersecurity requirement document should lay down technical requirements (such as version of operating system and applications to be used), IT practices (including updating software and patching hardware), and data control protocols (passwords, restricting data access to those who need access, disabling data storage device access, etc.). Simply put, all cybersecurity best practices that are appropriate to their tasks/level of data access should be followed by the vendor/3rd party
- Audit each Link in the Chain – There is no point in having a cybersecurity requirement document if it is not followed by vendors. Compliance should be enforced first by self-declaration and then verified through an audit to ensure that all the required cybersecurity measures are in place and are being followed. Such reviews should be repeated at intervals to ensure consistent enforcement. Contracts should also stipulate penalties for non-compliance to ensure that all firms in the supply chain understand that cybersecurity is a must-have rather than a nice-to-have
- Restrict 3rd Party Access to Corporate Systems – Integrating all partners into the company’s ERP or project management systems can improve communication, reduce turnaround times, and cut costs of inventory management. However, this should not come at the cost of cybersecurity. When any vendor or 3rd party is granted access to enterprise systems, there should be a process in place to verify
- If such access is required
- The extent of access that is required
- The conditions under which access should be revoked
- If a Maker-Checker process is in place for the previous points
- Verify Vendor Support – Off-the-shelf products, such as hardware devices used either by the company or 3rd parties, can be entry points for an attack if the vendor does not provide timely updates. These also form part of the supply chain and vendor/OEM support should be verified/stipulated in the contract before a purchase order is issued
- Specify Endpoint Cybersecurity – The refrigeration contractor involved in the Target data breach was using free anti-malware that may not have offered adequate security to stop the cyberattack. Specifying the type of endpoint security, and the exact features required, to be used by the 3rd party on any of their systems, irrespective of whether they are used to connect to the company’s network or not, is necessary to ensure that cybersecurity requirements are met
It is important to remember that even a large enterprise may be a part of another organisation’s supply chain and should ensure that they do not cause a cybersecurity incident in a client in addition to safeguarding their own operations. NotPetya, the most destructive cyberattack in history, was spread by compromising the update mechanism of a Ukrainian accounting software company which led to their customers being infected with the ransomware that then spread across the planet and caused $10 billion in damage.
K7 Security’s Endpoint Security protects enterprises across a wide variety of industries and business functions from malware, ransomware, phishing, and zero-day attacks. Contact us to learn more about how we can help you and your supply chain stay cybersafe.