What's Lurking in Your Supply Chain?
You may think your company is well protected when it comes to cybersecurity, but an often overlooked source of vulnerability is your supply chain. If you can't honestly say you are fully apprised of the security postures of your vendors, partners, and contractors, then you are already at major risk of a cyberattack.
Up to 80% of all security breaches start in the supply chain, estimates a 2018 KPMG report. Alarmingly, 59% of global companies say they've experienced a data breach caused by one of their vendors—and in the United States, that climbs to 61%, according to a 2018 Opus and Ponemon Institute survey.
Consider Facebook and Target's recent breaches. Several third-party Facebook app developers accidentally exposed millions of users' credentials in 2019, and Target's attackers leveraged stolen network credentials from an unlikely sounding source—its refrigeration and HVAC systems provider. You are only as strong as your weakest link, so you must think beyond your internal network.
It is a common misconception that criminals are interested only in larger companies. My firm's 2019 Identity Breach Report finds that cybercriminals are shifting their focus to target more small businesses. Nefarious actors recognize that smaller companies likely do not have adequate budgets to allocate to cybersecurity, but still hold valuable assets, and they use to their advantage small to mid-sized businesses' assumptions that they are not worthy targets.
Cybercriminals will exploit your weak supply chain if you are not prepared. They will infiltrate their primary target by attacking its partners (who have access to the target's sensitive data). According to Carbon Black, 50% of attacks use "island hopping," in which a bad actor launches an attack against the company's partner network as a key tactic.
How to Fight Back
What steps can your organization take to prevent these attacks? Start by assessing and vetting your internal and external business partners.
Whether hiring a new contractor or forming a new partnership, conduct a thorough background check and look for red flags. Do these companies follow best practices and implement adequate protections?
More companies are also starting to add language in contracts about cybersecurity to ensure their supply chain's cyberhygiene is up to par. Enforce reasonable standards of security; if partners can't meet these standards, then they will have to face the consequences.
Third-party audits are another vital way to make sure your partners and vendors are compliant.
Each industry maintains its own regulatory compliance requirements and certifications. Organizations such as SecurityScorecard can oversee risk assessments that independently provide security scores for vendors. Even smaller companies should perform these risk assessments annually at minimum.
Finally, track and maintain an inventory of companies and individuals that access every type of sensitive data your company requires. You may find that certain parties can view data they don't need for their roles. Your organization loses control when you cannot assure the chain of custody of any business data.
Should you or a supply chain partner suffer a breach, swift response is important. To respond rapidly, you must already have created a comprehensive and partner-aware incident response plan to make sure you are on the same page as every link in your supply chain.
Your company's risk extends beyond your own company. Proactively address issues with your supply chain before it's too late.