From outsourced software developers to warehouse management systems, information moves around the globe via multiple devices But if data is the oil of this century, then data leakage is the equivalent of an oil spillage.
Harman Singh, director at cybersecurity services company Cyphere, is passionate about helping businesses protect their most prized assets. Having helped top tier brands across UK, he is responsible for providing advisory services to CIOs & CISOs across the financial services, fintech and e-commerce sectors.
Here he shares his thoughts on supply chain attacks and the need to be wary of third-party suppliers.
The supply chain model is an age-old model adding efficiency to customer services as well as operational and financial positions. It has grown to be more complex in the digital world with the added ingredients of outsourcing and multiple digital endpoints combining trusted and untrusted entities together. This inter-linking of supply chain entities leads to new challenges, and one of the prime concerns is cyber-attacks on supply chains.
Supply chains will likely dominate 2021 news for negative reasons –cyber-attacks. Two latest examples include what is considered as the worst supply chain cyberattack in history. A US company, SolarWinds, was at the centre of supply chain attack where nation-state actors compromised the source code and poisoned it to make inroads into hundreds of organisations including US government agencies and corporates.
Similarly, this week a Mimecast-issued certificate used to authenticate to Microsoft services was compromised by a threat actor. A digital certificate is used to verify the validity of the source and ensure trust. This situation has been abused by attackers to take over the connections, stealing information from Microsoft linked accounts (appearing to be used by Mimecast).
The issue lies at the heart of unrestricted access enjoyed by attackers once the supply chain is compromised. This leads to legal, financial and reputational implications, as well as job losses, low-security team morale and mental health impacts.
The gist of the matter is that for the most significant risks, they sometimes do not come through the front door. These trusted relationships between partners, suppliers and service providers can be compromised with less effort compared to through the host organisation. Therefore, beefing up one’s own security may not assure the entire organisation is safe from cyber-attacks. Your crown jewels can still be accessed by abusing your trusted channels, i.e., your supply chain. This, in some cases, could also be a chain issue where a breach occurs much further down the line e.g. a supplier’s supplier. An instance that would be includes compromised MSSP’s that provide secure services to their enterprise customers, often big outsourcers of software development or IT services.
From a cybersecurity perspective, supplier assurance provides a way to maintain confidence in the security process. Supplier assurance shouldn’t follow a tick in the box approach, as this often leads to security by obscurity. This is one of the mistakes we have noticed several times where a one-page questionnaire is submitted without any evidence or communication happening with the right contacts. A pragmatic approach is needed that takes into account the understanding of security measures in place by suppliers – this allows analysts to evaluate potential risk exposures. These depend on several factors such as your logical/digital connectivity with suppliers’ IT assets, the criticality of the services supplied, data processing and the sensitivity levels. These risk exposures may change over time due to changes in new developments on the technology front or change in threat profile of the supplier business. It is, therefore, necessary to frequently review supply chain cybersecurity posture.
To counter this threat, it is essential to understand the value of information held, who has access and what needs to be secured. Then communicate with suppliers and gain insights into their security maturity. By assessing the security risk of a supply chain would help to come to terms with reality than a false sense of security with questionnaires. This would then help set the security requirements for suppliers, communicated in an understanding way and working with suppliers to achieve that level.
One proactive way of changing our practices is how at Cyphere we are communicating and showing our customers that tick in the box questionnaires are not working. It is essential to introduce cybersecurity considerations at the procurement stage. New supplier requirement policies should include cybersecurity risk profiling processes that feedback into the decision-making process rather than taking on higher risk suppliers.
At a ground level, this would mean asking for assurance exercises such as penetration testing or ethical hacking exercises to assess the risks to digital assets and assessing their proactive security approach towards risk management.
Last but not least, keep raising awareness of security in your supply chain just like you do within your organisation. By supporting your supply chain, you are helping everyone succeed together while securing your cybersphere. As cyberattack chains develop, this is a continuous fight against cybercrime, and continuous security improvements are needed to stay ahead of attackers.