Cybersecurity vulnerabilities have been plaguing supply chains across industries. According to analysis conducted by BSI, ransomware attacks on the supply chain have increased by 66 percent in the last three years, expediting the concern of cybersecurity for private companies.
Kristin Demoranville, Global Practice Director of Cyber, Risk and Advisory at BSI talks with VMblog and provides analysis on their findings and discusses information covering cybersecurity risk and trends that are emerging.
VMblog: Advancements in digital technology have revolutionized many businesses across sectors but have also introduced new risks relating to cybercrime and the integrity of supply chains. What are the main cyber risks stemming from these advancements?
Demoranville: Attackers now have more resources and tools at their disposal. Also, a series of high-profile, very damaging attacks on organizations has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is real and multiplying. Strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers. A chain reaction triggered by one attack on a single supplier can compromise a network of providers. Securing the supply chain can be challenging because vulnerabilities can be inherited, introduced, or exploited at any point in the supply chain. A vulnerable supply chain can cause damage and disruption including personnel safety challenges, environmental impacts, and financial loss. The fact that the supplier-consumer relationship is continuously evolving and both suppliers and customers are constantly updating their systems introduce the need for continuous security of the supply chain and active risk assessment and management.
VMblog: What are the main sectors at risk, and why are they targeted?
Demoranville: The main aim of cybercriminals is to maximize financial gains. The sectors with the most risk will be the ones attackers can exploit for the most profit. For example, the “next-generation” supply chain or digital supply chain attacks will focus on targets that will pay ransomware demands. Organizations who say, “we would never be targeted, we aren’t worth it, or we don’t have anything” need to look at how they connect to other companies through their digital supply chain. The chances are high that they will be used as an entry point to attack other organizations, regardless of industry sector.
VMblog: There has been a lot of talk around ‘next generation’ supply chain attacks. What makes today’s attacks so sophisticated?
Demoranville: Digital supply chain attacks are a business problem and are no longer just security or IT. Today’s attacks are sophisticated because it isn’t just about the physical supply chain but also the digital supply chain. Data is a supply chain product today and is extremely valuable. The potential impact of digital supply chain attacks affecting many suppliers’ customers is massive. The complexity, skill and effort required to mitigate these digital attacks are also more sophisticated.
VMblog: Why are cyber-attacks on supply chains so lucrative to malicious actors?
Demoranville: They are more lucrative because their targets focus on critical infrastructure; the supply chain is an essential part of the infrastructure. Organizations will often pay because otherwise, human lives could be at risk, or environmental disasters could occur due to the cyberattack. The lack of availability and urgency to restore is what an attacker uses to drive instant payout.
VMblog: How do malicious actors exploit trust regarding third-party suppliers and cybersecurity?
Demoranville: Imagine you are a significant “household name” organization. An attacker wants to exploit that organization; however, they have a strong security posture at the perimeter. How do they work past these controls and find the entrance? Two ways: patience and working through another organization or supplier to find their foothold into the targeted organization.
A supply chain attack exploits the trusted relationships between different organizations and suppliers. The weakest link in a chain of trust is the target for the attack because it will be the easier target to attack. If an organization has strong cybersecurity but has an insecure trusted supplier, cybercriminals will target it. With a foothold in that supplier’s network, attackers can move to the more secure network using that link and attack their real target, the “household name” organization.
VMblog: When assessing and onboarding third-party suppliers, how can organizations ensure the cybersecurity practices and defenses of such suppliers are up to standard?
Demoranville: Organizations should assess the cybersecurity maturity of their suppliers and the level of exposure to risks arising from this customer-supplier relationship. For example, assess and consider the overall quality of the cybersecurity practices and procedures of the supplier. Organizations should exercise increased due diligence in selecting and vetting suppliers. Most importantly, managing the risks that stem from such relationships. Additionally, it isn’t just a compliance activity; an organization’s leaders will need to decide if the risks are acceptable for the business and own these risks.
VMblog: Tools to combat the threat of cyber-attacks on the supply chain have solidified in the last year - what are some of these tools, and how can organizations use them to their advantage?
Demoranville: There isn’t a “silver bullet” tool to prevent supply chain attacks. However, several management tools are available that measure and continuously monitor supplier security controls to align with the customer organization’s risk tolerance and objectives. Some of these tools also provide supplier security ratings to assess the security posture of new or existing suppliers. In conjunction with these tools, fundamental security best practices would give you greater visibility to assess and react to any suspicious activity.
VMblog: How can organizations proactively manage cyber risk and vulnerabilities in their supply chain?
Demoranville: Taking a proactive approach to supply chain management means taking an honest look at the companies’ supply chain and identifying the security risks through a people and process lens. Listed below are some fundamental principles that should be followed:
- Understand the risks (and benefits) you are taking on by engaging suppliers
- Establish controls by setting minimum security requirements, embedding security in contracts and requiring that the suppliers do the same, monitor security risks and raise awareness of security within the supply chain personnel
- Build assurance activities by including “right to audit” in contracts, the requirement for upward reporting of security performance, regular penetration testing, and maintenance of formal security certifications
- Continuous improvement - Build trust with the supplier and encourage continuous improvement within the supply chain and security
