Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

Managing Supply Chain Cyber Risk: Know What You Control – and Detect What You Don’t

As we announce Managed Vendor Risk Assessment (MVRA), a first-of-its-kind cyber supply chain risk assessment solution for enterprises and SMBs in the Pacific region, the importance of cyber risk mitigation has been at the forefront of conversations we’ve been having with our customers. And on the heels of the SolarWinds breach, it hasn’t been far from any IT leader’s mind.

Yet as much as supply chain cyber risk has been circling the headlines lately, it is hardly a new phenomenon. Think back to the Lockheed Martin breach, occurring in 2011 – with a RSA SecurID system breach affecting Lockheed Martin’s networks. What was then deemed a “new era of cyber espionage” had a ripple effect that altered the way we look at cyber defense. What organizations did then and what they do now after a breach – whatever the magnitude – is telling: Have they learned from the vulnerabilities presented? Have they applied new security measures to account for what has been revealed? If your neighbor is broken into, you can no longer act as if a break-in is a 'black swan event' or unexpected.

Most of us have accepted that supply chain breaches are unavoidable; and the double-edged sword of supply chain risk is that whatever you expect of your suppliers, your clients will also expect of you. In most cases, as more is outsourced, you are both a supplier of information, services or goods and a client benefiting from a supplier’s information, services or goods. Knowing that a supply chain is no stronger than its weakest link, we cannot blame suppliers in moments of breach, positioning them as the enemy or threat (there’s a difference between a threat and a vulnerability, after all). But while suppliers aren’t a threat, they do pose risks that must be accounted for by better understanding the landscape of cyber risk today.

What is cyber risk?

When thinking about risks associated with failure or unauthorized use or access to information systems, it’s natural to consider software security first. But there’s so much more to it, as is clear with supply chain risk. Hardware and firmware play a role, as well as the people with which you do business: the organizations that you outsource to, offshore teams contributing to your workforce, and partner organizations that export data to you impact your risk portfolio. It’s important to ensure that risk introduced by all stakeholders within this ecosystem is understood and managed. And with thousands of suppliers connected to thousands of their own suppliers, this gets complicated fast.

As we define cyber risk, there are different types to consider. Let’s review these and why they matter:

Geopolitical risk

We’ve seen an uptick in cyberattacks conducted by actors with nation-state ties and geopolitical motives. Though most organizations are more likely to be collateral damage than a target in these types of attacks – and that changes what you should do about it – legitimate concerns about data integrity and trust arise in the wake. If you rely on suppliers, or technology, originating in a nation where there could be nation-state interference,  

Supplier breach risk

Some supplier breaches – such as ransomware attacks – restrict service delivery. This can be mitigated through supplier diversity so that if one supplier affecting fulfillment is down, another can help offset the impact. Other breaches that provide access to your environment or breaches that ultimately compromise your data residing with an impacted third-party supplier – like many law firms or financial institutions targeted for customer data – will require a more rigorous response.

Technology compromise risk

The SolarWinds breach has shown us again the exponential impact of a single vulnerability. While it is an extreme example – because of its intent and the way it was executed – the reality is that the entire software industry lives within an ongoing cycle of patching and vulnerability assessment. This is not going to change; how we evolve our approach to move towards a resilience mindset – with an increased focus on detection and rapid response – is key.

Lessons learned? How to actively manage risk

Lots of discussion has taken place on the best way to manage supply chain cyber risk. Recommendations such as using trusted networks, information sharing, scenario planning, and quantification metrics have been broadly accepted by organizations as reputed as the World Economic Forum. These may be true, but don’t solve the problem unless deployed by all stakeholders – and that’s a tall order. A rising tide of improved risk management must start from within, remembering what’s in your control first. Keep these things in mind:

  • Build a strong relationship between procurement and security. Knowing that supplier lists are often incomplete and outdated, get a proactive grasp on changing vendor dynamics by building a relationship with your procurement team for cyber risk integration. Because procurement is often only involved with certain levels of vendor acquisition, you’ll better identify gaps if they understand the risks associated with reduced visibility into supplier changes.
  • Triage your supplier list by security risk health. Once you can more clearly see the full supplier ecosystem, triage your list by importance and create a process for evaluating the effectiveness of each supplier’s security. Specialized support for an undertaking like this may help make this important component of your risk management strategy feel more feasible.
  • Extend security awareness programs to include your suppliers. This doesn’t mean you are involved in their own incident response, but it gives you the option to plug them into your incident response plan if something takes place. Consider involving key suppliers in scenario planning, as well, to build strategy and protocols around the reality that what they do affects your security – and vice versa.

A focus on detection

While there are many things outside of your control – devices that are compromised at the source, suppliers who are compromised and affect you – there is still much that can be done to identify threats sooner to mitigate risk and reduce the damage done. Understanding the complexity – and likelihood – of supply chain attacks, as well as the sheer number of possible vulnerabilities across systems, shifts the focus onto detection for the broadest ongoing risk management. When detection becomes a priority woven into ongoing security programs, your efforts will result in the foundation for a truly resilient organization – supply chain and overall.