The risks of supply chain attacks are greater now than ever before. Take the diagnostics company LabCorp’s recent disclosure of a breach at a third-party company where approximately 7.7 million customer files were exposed. It’s just one example of many highlighting how an organization’s supply chain can introduce significant cyber threats with damaging business impacts.
Adversaries continually seek new ways to infiltrate organizations, finding entry points through third-party suppliers and vendors. Companies must consider not only how well equipped their internal organization is to defend against threats, but also the threats that third-party suppliers and vendors introduce into their organization.
Without high-confidence visibility into your supplier security levels, it’s extremely difficult to understand whether inbound materials or systems have been compromised. In Booz Allen’s 2019 Cyber Threat Outlook report, we discussed how Internet of Things devices that often permeate supply chains are increasingly becoming difficult to monitor. However, companies must understand how to protect these expanding attack surfaces within their supply chains. Here are three ways that organizations can avoid supply chain attacks.
No. 1: Assess and understand your supplier network
When using third-party service providers that have virtual access to your organization’s information systems, you and the vendor must establish a certain level of trust and transparency about what data is available, who has access to it, and how it will be used.
By building relationships with your suppliers, you can work together to track risk factors such as ownership, manufacturing locations, supplier relationships, and available attack surface. You can begin to implement continuous monitoring throughout the product lifecycle, perform deep multidimensional analytics with open source tools, and eventually expand your scope of vetting to include subcontractors. Recent activity from MageCart, a retail cybercriminal gang notorious for injecting credit card-stealing code into e-commerce sites, underscores the importance of vetting third-party-provided website code and highlights the potential difficulty of securing websites that are not completely developed in house. Consider including your expectations for security controls and periodic auditing within vendor contracts to ensure that your selected suppliers meet the same level of scrutiny as your internal enterprise.
No. 2: Know the risks associated with your third-party partners and suppliers
To determine how adversaries may seek to disrupt your business operations or manufacturing production, first consider the motivations behind a potential attack. You should also identify your most valuable assets, such as intellectual property, proprietary information, and customer information.
By pinpointing these motivations and assets, your organization can figure out which systems and areas of your supply chain to protect and how to prioritize your cybersecurity investments. Implementing efforts like threat hunting, sensor deployment, and centralized log aggregation can help you uncover evidence of activity that’s already happening, gain deep cross-enterprise visibility, or identify gaps in your organization’s capability to detect such activity. A consolidated monitoring capability provides visibility into cyber threats faster and helps uncover complex attack chains.
No. 3: Include the supply chain in your response and remediation plan
Don’t be overly confident: Just because you’ve done the pre-work in evaluating your vendors and monitoring your systems doesn’t mean your network environments are risk free. In a recent study, 97 percent of long-tenured pharmaceutical executives think their companies are well prepared to handle an enterprise-wide cybersecurity incident.1 This false perception clearly shows overconfidence into the visibility of their supply chain.
When an incident does occur, it’s best to be practiced, poised, and ready to swiftly and effectively eradicate infection and minimize damage throughout your supply chain environments. Establish a coordinated approach to managing your supply chain environments and enterprise incident response to drive a well-synced response effort. Don’t assume that suppliers will handle everything for you. Even if they have an incident response team, understand up front how that team will or will not be integrated into your own. Learn exactly what they’ll alert you about, when they’ll alert you, and how it will be communicated. Planning for the worst allows your organization to understand what’s happening during an incident, whom from your suppliers to engage with, and how to work together so all parties are equipped to mitigate the damage faster and better.
The Bottom Line
Increasing visibility into your supply chain, building a trusted relationship with your suppliers, and having a plan in place in case of a supply chain breach can help your enterprise mitigate supply chain risks. Learn how your organization can work to avoid cyber attacks and implement a cybersecurity plan that considers the entire supply chain management and ecosystem.
Learn more about Booz Allen’s Cyber Strategy and Assessments.
1 IPSOS/BoozAllen joint ICS in Pharma Study, May 2019.