The supply chain attack on a desktop application of 3CX was linked to over 600,000 companies, potentially exposing sensitive information and allowing hackers to gain full remote access to systems of leading international brands such as American Express, BMW, McDonald’s and Ikea. But after months of investigation, this state-sponsored attack had a different back story than others. 

When cybersecurity firms tracked down the origin of the supply chain attack on VOIP application 3CX, they discovered that it had been exploited through an employee’s PC through another supply chain attack  — this time through the financial application Trading Technologies. Although this was one of the first times experts could link a supply chain attack to result in another supply chain attack, it demonstrates the increasing complexity of the supply chain in addition to the vulnerabilities this complexity poses, and the need for organizations to do everything in their power to continuously strengthen it against attacks. 

Introduction: Understanding Supply Chain Cyber Risks

The growing complexity of the supply chain, with its reliance on third, fourth, and n-th parties for critical services have made it a prime target of cybercriminals. Recent cybersecurity attacks such as MOVEit, 3CX and Citrix Netscaler have demonstrated that cybercriminals understand  that even the highest profile brands with strict cybersecurity practices in place are vulnerable if targeted through their supply chain. More than half (64%) of ransomware attacks originate from a third party, and 45% of organizations experienced third-party related business interruptions over the past two years.

A proactive approach to securing these third-party vendors and suppliers is critical to minimizing vulnerabilities and avoiding costly disruptions in your supply chain. 

Here are top 6 practices your organization can start practicing today to strengthen your supply chain security. 

1. Map and Prioritize Your Supply Chain

With the average enterprise having anywhere from dozens to hundreds of third parties in their supply chain  (that often outsource critical services to fourth and even fifth parties), mapping your supply chain is no simple feat. Security teams in organizations of all sizes and industries struggle to gain the visibility they need to assess the risk landscape in an effective manner. 

Supply chain discovery involves a number of critical steps: 

  • Step 1: Identify the vendors in your supply chain. 
  • Step 2:  Categorize risk according to the level of criticality of each supplier. 
  • Step 3: Implement the tiered security measures according to prioritization based on criticality. 

Since the modern digital supply chain is highly dynamic, with organizations relying heavily on scalable and shifting cloud services, a a trend towards increased reliance on third parties that are subject to various security incidents and operational disruption, and continuous onboarding and onboarding of vendors, many organizations turn to qualitative risk scoring to help them accurately categorize and prioritize the risks of their supply chain.   

Risk Scoring

Qualitative risk scoring combines relevant data from risk assessments, compliance history, past incident response, and more to assign risk scores to every party in your supply chain. Since this data is evolving, it’s important that the risk scoring is dynamic, with real-time data from continuous risk assessments and continuous monitoring. 

2. Implement Continuous Third-Party Risk Monitoring

One of the best ways to ensure proactive defense of security incidents is through automating real-time monitoring to identify any cybersecurity posture changes with timely alerts to any emerging threats or vulnerabilities. With this approach, your organization can mitigate against the threat as soon as possible. 

Risk assessment tools for continuous third-party risk monitoring include: 

  • Vendor inventory. Taking stock of your vendors and identifying them in your supply chain is crucial and challenging even for small companies with the increase in shadow IT and cloud applications. Once vendors are identified, they can be continuously evaluated for the level of risk they pose to your organization. 
  • Vendor management questionnaires. These should be templates that can easily be customized for vendors according to their specific needs, such as relevant regulations and level of risk. Some regulations, such as the SIG questionnaire, allow you to work from a pre-customized template. 
  • Security ratings. While security ratings focus on the attack surface of your organization, identifying security gaps and making suggestions on how to remediate it, they fail to take into context other information, such as data from the cybersecurity questionnaire or the dynamic nature of risk. 
  • Third-party risk management software. With enterprise-level organizations relying on hundreds of third parties and the evolving cybersecurity risk landscape, third-party risk management software can more easily and regularly manage these cybersecurity risks. 

3. Establish Strong Vendor Onboarding and Offboarding Processes

With the proliferation of third-party services, including critical ones such as cloud infrastructure and hosting, data management and payment processing, organizations frequently onboard and offboard vendors, all with varying levels of security practices. These practices should be carefully screened and qualified at the beginning of the business relationship – rather than after a security incident ensues.

Steps for Onboarding and Offboarding Customers

OnboardingOffboarding
Step 1Defining purpose and identifying the new business opportunity.Contract review.
Step 2Qualification and security screening of the third party.Property and Data Disposition
Step 3Contracting and negotiation.Disposition of Access
Step 4Security Audits and Onsite Inspection

The onboarding process should include the following steps:

  • Defining purpose and identifying the new business opportunity. The organization must clearly define the goal of the business relationship and its expectations in terms of compliance, security, risk and detail any concerns it has for the future. Data sharing practices and level of network connectivity should be discussed in detail to manage expectations. 
  • Qualification and security screening of the third party. The third party must comply with relevant regulations and your organization’s internal security requirements. The practices evaluated should include external (Internet facing) as well as internal (internal security policy, access controls, data sharing practices, and processes) security. Your organization will ultimately decide to proceed with a business relationship according to its individual risk appetite and risk tolerance.
  • Contracting and negotiation. If your organization decides to enter into a business relationship with the vendor, a contract will need to be drawn up that clearly states the third party’s responsibility with regards to security and compliance. The organization must also define its rights. For example, the contract must clearly state the right of the organization to scan the perimeter as well as audit/inspect security policies, controls, and processes that involve network connectivity and/or shared data of your organization. These details should be a fundamental piece of any contract that involves network connectivity and/or shared data.

Offboarding, or ceasing a relationship with a vendor, is of no less importance, although most neglected part of the lifecycle of a third-party relationship. 

The offboarding process should include: 

  • Contract review. Contracts not only deal with data shared during the business relationship, but the management of that data after the business is terminated. Your organization should have a written document from the third party that they will adhere to all relevant requirements obligated (e.g., confidentiality and privacy) after the business relationship has concluded. 
  • Property and Data Disposition. Data shared with the third party must be either deleted, destroyed or disposed of. If this is not possible, as in instances of backup and archiving, the organization should be able to ensure security of the data using other methods or processes. 
  • Disposition of Access. The third party should also ensure that it no longer has access to the organization’s data, including the network and internal systems of your organization. 
  • Security Audits and Onsite Inspection. It may be necessary to conduct further audits and inspections, especially if the third party has access to highly sensitive data and information of your organization and if it is located on physical devices and systems. 

4. Mandate Security Controls Through Vendor Contracts

The final vendor contract must include specific information security controls the vendor should apply throughout the business relationship. These often include the security control frameworks the organization has in place, especially those relevant to third parties, such as ISO/IEC 27001 and 27002, NIST CF, and CIS. Security controls offer third parties a proactive approach to security while at the same time providing a consistent adherence to compliance. In addition, continuous monitoring ensures that the controls are either working as desired, or identify weaknesses and vulnerabilities in the systems and networks and prioritizing mitigation as necessary. 

5. Use AI-Powered Cybersecurity Questionnaires

Traditional security questionnaires are time-consuming and cumbersome, often taking days or weeks to complete. AI-powered cybersecurity questionnaires streamline this process, allowing for completion within minutes by automating responses based on previous questionnaire data.

  • On the supplier’s side, AI generates accurate responses by pulling from past questionnaires, reducing human error and inconsistencies.
  • On the evaluator’s side, AI validates the accuracy of the responses by cross-referencing internal documents from both the organization and the vendor.

The efficiency of AI-driven questionnaires allows for faster assessments and more reliable decision-making, helping to ensure that potential security risks are identified and addressed quickly.

6. Ensure Compliance with Industry Regulations and Standards

As organizations rely increasingly on third parties, global regulators have increased their focus on regulations that deal specifically with third parties. Adherence to these regulations help organizations strengthen their supply chain by proactively defending against data breaches and other security incidents, avoiding hefty fines and enhancing the reputation and trust in their brand.

Regulatory requirements include: 

  • DORA. The Digital Operational Resilience Act (DORA) was developed with the goal of strengthening the operational resilience of the financial service industry in the European Union (EU). It requires third-party Information and Communications Technology (ICT) providers to take precautionary measures and map their third-party assets, evaluate the criticality of suppliers, and put a remediation and mitigation plan in place to deal with security gaps. 
  • GDPR. The General Data Protection Regulation (GDPR) requires the implicit and explicit consent of users in the EU to share their data, extending this requirement to any third-party the organization uses in their supply chain. 
  • NYDFS. Also aimed at financial institutions, the New York Department of Financial Services (NFDFS) focuses on protecting the privacy of New York consumers, ensuring that data shared with third parties remains secure by requiring multi-factor authentication, encryption, regular risk assessments, etc.  
  • NIS2 Directive. This EU regulation requires a broad scope of organizations across industries to report security incidents , including unauthorized access to services, data breach and DDoS attacks. It also emphasizes the importance of proactive risk management, including third party and digital supply chain risk assessments.

Conclusion: Building a Resilient and Secure Supply Chain

Incorporating these best practices to strengthen your supply chain not only helps you achieve short-term benefits of avoiding fines and minimizing cybersecurity attacks, it helps you achieve long-term benefits as well. Building a strong culture of cybersecurity awareness, improving supplier relationships through continuous collaboration and the gaining of their trust, and enhancing customer satisfaction are all achievements any organization should be proud of for years to come.

Want to get started taking the first steps implementing these best practices for reducing cyber risks in your supply chain? Get a demo today!