Earlier this year, we wrote about supply chain risk, warning organizations to be more wary, especially since GDPR has come into full effect. That said, GDPR is by no means the only privacy regulation out there (consider Massachusetts’ CMR 17.00 or California’s 2018 Consumer Privacy Act. No longer can we assume little to no liability when it comes to third party processing or handling of sensitive data.
We talk about the difficulties of building and maintaining a resilient system of checks and balances to ensure your organization’s supply chain is healthy and operating at an acceptable level of risk.
Indeed, this latest CrowdStrike research, in association with market research firm Vanson Bourne, reports only 33% of senior IT professionals surveyed said a supply-chain attack was likely to cause concern for their organization in the next 12 months. This low level of concern places supply chain attacks below general malware, ransomware, and password attacks on respondents’ ‘cyber-threat-radar.’
And yet, that same Crowdstrike survey shows that a whopping 80% of senior IT professionals see supply chain attacks as the fastest growing cyberthreat.
So the concern is pretty straightforward. Supply chain attacks are on the rise, but investment into preventing them is not yet being seriously considered by most organizations.
Consider these cases.
First these types of attacks have been brewing for a while. Since 2011, the cyber group known as Dragonfly has allegedly been targeting the energy sector via supply chains Europe and North America. They reportedly managed to create identical repositories of legitimate ICS software suppliers and replaced the files with their own malware infected versions.
Perhaps the recent NotPetya outbreak is a better known supply chain attack. The NotPetya malware spread used installed accounting software to spread. According to Talos, the cybersecurity arm of Cisco, the investigation revealed the attacker compromised the infrastructure of the software and pushed the tampered version of the software to the provider’s clients as a legitimate software update. “The software update essentially installed the “NotPetya” malware on the victim-machines,” reported Talos.
There is no doubt that supply chains do add complexity to your environment, if indeed you are responsible for overseeing the security they implement to protect your sensitive files. And if that wasn’t challenging enough, consider your service providers also have service providers, who also have service providers, and so on.
Here are some of the question you should ask the stakeholders in the company:
- Do you know which third party service providers you partner with?
- What third parties do your third parties partner with?
- Which systems and access rights does each third party have? And vice versa.
- What security policies, procedures and safeguards does each third-party service provider currently follow when purchasing services or hardware? How does it align with your security architecture?
For the full list, see this article: The truth about managing Supply Chain risk? It’ not easy.
Want some expert help to secure your supply chain and ensure the right safeguards are in place to protect your sensitive files? Get in touch. We are here to help.