"This is the largest and most sophisticated attack the world has ever seen."
These words, spoken by Microsoft's Brad Smith to 60 Minutes, summarised months of panic from tens of thousands of companies the world over. Microsoft alone assigned hundreds of engineers to look into the fallout, but the closer they looked, the worse it seemed to get.
This was the SolarWinds attack, something we've written about extensively. But the horrifying scale of it wasn't achieved by Russian military hackers cracking into the systems of each individual of its 18,000 victims - they just had to attack one single third-party vendor, and it gave them the keys to the world.
In this article, we discuss why third-party risk is now one of the single biggest cyber threats an organization can face, and offer tips on how to shore up your systems against such a threat.
Businesses these days aren't just a part of the supply chain, but the global digital supply chain. This interconnected web of IT systems has enabled whole new heights of process efficiency, product improvement and technological innovation, but it's also created new cyber security risks.
When systems are connected, especially if one business uses another's software, that business puts itself in the hands of its vendor; if the vendor is not secure, the business is not secure.
Cyber criminals know how to attack companies in this manner
SolarWinds was not an isolated incident. In fact, long before the 2020 attack (e.g. NotPetya) and still after (e.g. Kaseya), we've seen multiple compromises of the global digital supply chain. Advanced persistent threat (APT) groups know how to use third-party vendors to wiggle into other organizations' systems, using a variety of increasingly complex attack techniques to disrupt and destroy.
Ten years ago cyber attacks may not have been as common, vicious or widespread. But the world has changed. If you'd like to learn more about the scope of the problem, some of these links may help:
Who is responsible for reviewing vendor contracts in your company? It's very common for organizations to have a general agreement which is renewed automatically once signed, say every one or two years. Typically this agreement will not be reviewed again, or is written/agreed by lower departments and the language ends up quite generic, or templated.
Additionally, such contracts are also often signed by a head-of-department who is not actually managing those systems. Perhaps someone from finance or legal will be involved, but it's a contract for a complex IT system.
These are all problems for a few reasons
Solving this problem
The first best step you can take to solving this problem is having a few more key personnel involved right from the contract review and signing process. This would include an expert from the applicable department, your security team, and your data privacy team (such as a data protection officer, or DPO).
In this way, your experts will review the agreement from their respective standpoint (i.e. technological or security) and go through all the bullet points and checklists of each article asking the right questions.
Their job is to make sure that the systems mentioned do what they say they do, are connected to what they say they're connected to, that there's a chain of command (and responsibility) at both ends of the agreement, and that the vendor has been reviewed for red flags - see below.
Reviewing new agreements is one thing, but you must also check existing agreements. After all, what if you've already signed a red flag contract?
Apply the same advice above to your existing contracts, combing through them with your individual experts.
Here's what you need to check for
Alongside any contractual agreements, your security personnel and DPO should be involved in reviewing third parties themselves for red flags.
But how much can we really ask our vendors about their security?
Well, you probably can't go into their office and demand to see every little detail about their policies and review every line of code, but you can still find out quite a lot by asking the right questions and paying attention.
Workshops, demos, reading documentations, all of these activities will give you a glimpse into the system to some degree, and more importantly, offer opportunities to ask about security concerns. You could ask to audit their system or review its components, and many vendors will be happy to show you - after all, from their perspective their honesty will be helping to sell their product.
Here's a list of things to review
From the earliest points of contact with a vendor, review all of the below. Again, they may not provide you every single minute detail, but they are obligated to answer basic security and business continuity questions and if they are shy about their security, this is perhaps one of the biggest red flags of all.
It feels convenient to lock into a single, major vendor and access a raft of tools from them. Their tools might be designed to work well together, or perhaps it just seems easier to sign one agreement rather than many. But this might not be good for your security risk.
Assess your risk appetite and ask if you should be keeping a more diverse set of suppliers. This will help you in three areas:
Learn more: "5 multicloud security challenges and how to address them"
Don't rush into any agreements because the salesperson wowed you, or you like the big-brand name - always review different vendors.
You may hear that major brands are working with a particular vendor, and while this is certainly a good sign, it doesn't mean you should automatically do the same. Their risk appetite, security posture and cybersecurity capabilities will all be different to yours and therefore they might have assessed the risk differently.
Focusing on fewer rather than more vendors means you may overlook a lot of better options - better functionality, less cost, a salesperson who might be able to provide a better agreement or contract.
Here's a practical tip to help you avoid rushing
Before setting your sights on any one brand, analyze maybe four or five vendors that provide the same or similar services. Look for other features, like better or more local support, frequency of security patches, the 'vibe' you get from their customer service people (pushy, or friendly?).
Supply chain compromise is a huge risk, and we understand that you still might feel nervous about it even after following our five steps. After all, the more vendors you work with, the more you may feel you are at risk and the more complex it may be to review each one - and keep auditing them over time - to feel peace of mind that they are secure.
We can help you.
At dig8ital, we're specialists in digital transformation and cyber security, and know how to blend technical and process evolution with change management at the human level. We stay on top of the world's evolving cyber security situation so you don't have to, and we're here to help.
To learn more about securing your business from the ground up, download our free webinar on transforming business through security architecture. Or, for a free maturity consultation about your unique needs, contact us today.