Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Managing Supply Chain Cyber Risk: Know What You Control – and Detect What You Don’t

As we announce Managed Vendor Risk Assessment (MVRA), a first-of-its-kind cyber supply chain risk assessment solution for enterprises and SMBs in the Pacific region, the importance of cyber risk mitigation has been at the forefront of conversations we’ve been having with our customers. And on the heels of the SolarWinds breach, it hasn’t been far from any IT leader’s mind.

Yet as much as supply chain cyber risk has been circling the headlines lately, it is hardly a new phenomenon. Think back to the Lockheed Martin breach, occurring in 2011 – with a RSA SecurID system breach affecting Lockheed Martin’s networks. What was then deemed a “new era of cyber espionage” had a ripple effect that altered the way we look at cyber defense. What organizations did then and what they do now after a breach – whatever the magnitude – is telling: Have they learned from the vulnerabilities presented? Have they applied new security measures to account for what has been revealed? If your neighbor is broken into, you can no longer act as if a break-in is a 'black swan event' or unexpected.

Most of us have accepted that supply chain breaches are unavoidable; and the double-edged sword of supply chain risk is that whatever you expect of your suppliers, your clients will also expect of you. In most cases, as more is outsourced, you are both a supplier of information, services or goods and a client benefiting from a supplier’s information, services or goods. Knowing that a supply chain is no stronger than its weakest link, we cannot blame suppliers in moments of breach, positioning them as the enemy or threat (there’s a difference between a threat and a vulnerability, after all). But while suppliers aren’t a threat, they do pose risks that must be accounted for by better understanding the landscape of cyber risk today.

What is cyber risk?

When thinking about risks associated with failure or unauthorized use or access to information systems, it’s natural to consider software security first. But there’s so much more to it, as is clear with supply chain risk. Hardware and firmware play a role, as well as the people with which you do business: the organizations that you outsource to, offshore teams contributing to your workforce, and partner organizations that export data to you impact your risk portfolio. It’s important to ensure that risk introduced by all stakeholders within this ecosystem is understood and managed. And with thousands of suppliers connected to thousands of their own suppliers, this gets complicated fast.

As we define cyber risk, there are different types to consider. Let’s review these and why they matter:

Geopolitical risk

We’ve seen an uptick in cyberattacks conducted by actors with nation-state ties and geopolitical motives. Though most organizations are more likely to be collateral damage than a target in these types of attacks – and that changes what you should do about it – legitimate concerns about data integrity and trust arise in the wake. If you rely on suppliers, or technology, originating in a nation where there could be nation-state interference,  

Supplier breach risk

Some supplier breaches – such as ransomware attacks – restrict service delivery. This can be mitigated through supplier diversity so that if one supplier affecting fulfillment is down, another can help offset the impact. Other breaches that provide access to your environment or breaches that ultimately compromise your data residing with an impacted third-party supplier – like many law firms or financial institutions targeted for customer data – will require a more rigorous response.

Technology compromise risk

The SolarWinds breach has shown us again the exponential impact of a single vulnerability. While it is an extreme example – because of its intent and the way it was executed – the reality is that the entire software industry lives within an ongoing cycle of patching and vulnerability assessment. This is not going to change; how we evolve our approach to move towards a resilience mindset – with an increased focus on detection and rapid response – is key.

Lessons learned? How to actively manage risk

Lots of discussion has taken place on the best way to manage supply chain cyber risk. Recommendations such as using trusted networks, information sharing, scenario planning, and quantification metrics have been broadly accepted by organizations as reputed as the World Economic Forum. These may be true, but don’t solve the problem unless deployed by all stakeholders – and that’s a tall order. A rising tide of improved risk management must start from within, remembering what’s in your control first. Keep these things in mind:

  • Build a strong relationship between procurement and security. Knowing that supplier lists are often incomplete and outdated, get a proactive grasp on changing vendor dynamics by building a relationship with your procurement team for cyber risk integration. Because procurement is often only involved with certain levels of vendor acquisition, you’ll better identify gaps if they understand the risks associated with reduced visibility into supplier changes.
  • Triage your supplier list by security risk health. Once you can more clearly see the full supplier ecosystem, triage your list by importance and create a process for evaluating the effectiveness of each supplier’s security. Specialized support for an undertaking like this may help make this important component of your risk management strategy feel more feasible.
  • Extend security awareness programs to include your suppliers. This doesn’t mean you are involved in their own incident response, but it gives you the option to plug them into your incident response plan if something takes place. Consider involving key suppliers in scenario planning, as well, to build strategy and protocols around the reality that what they do affects your security – and vice versa.

A focus on detection

While there are many things outside of your control – devices that are compromised at the source, suppliers who are compromised and affect you – there is still much that can be done to identify threats sooner to mitigate risk and reduce the damage done. Understanding the complexity – and likelihood – of supply chain attacks, as well as the sheer number of possible vulnerabilities across systems, shifts the focus onto detection for the broadest ongoing risk management. When detection becomes a priority woven into ongoing security programs, your efforts will result in the foundation for a truly resilient organization – supply chain and overall.

Latest Trustwave Blogs

Mining Operations: Critical Cybersecurity Threats & Trends Revealed

Cybersecurity professionals often point out that threat actors do not differentiate when choosing a victim. To an attacker, a hospital is as useful a target as a law firm or even a mining operation....

Read More

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More