Resilience in supply chains: a view from the cyber security frontline
As cyber threats grow and diversify, many organisations have been raising their own bar in terms of cyber security – but increasingly, they are being targeted via their supply chains.
Threat actors have always exploited the weakest links they can find and often these are human rather than technological. Adversaries leverage existing relationships of trust because, of course, people are less guarded with individuals or organisations they feel they know. Here in the UK, public and private sector organisations have diverse supplier bases; larger enterprises may have tens of thousands of companies in their extended supply chains. While relationships of trust exist between these entities, the reality is that many do not share a common understanding of the threats they face as a result of those relationships.
We know that adversaries are being successful at targeting organisations by exploiting vulnerabilities in relation to their suppliers, partners and subcontractors. One of the original major supply chain attacks of note was the Target breach in 2013-2014, which affected 70 million records, and we have investigated increasing numbers of ever more complex supply chain attacks over the last five years.
Providing remote access to critical systems for third parties, for instance, can significantly increase a company’s ‘attack surface’ and makes the third parties attractive targets for attackers.
At the same time, within organisations, cyber security risks are growing as a result of so-called ‘shadow IT’: the software and apps that individual users acquire and maintain themselves – including automated software updates – from unverified and potentially dangerous sources. This was the source of the devastating NotPetya cyber attack in 2017, as well as a number of targeted attacks since. These include a massive malware attack in 2017 during which hackers replaced a technology company’s original software with a malicious version that affected 2.3 million users and another in 2018, which sent malicious software updates from another technology company to half a million users.
Robust core processes
If an organisation has a connection with a third party, it needs to ensure that there are sufficient controls in place to manage the associated risks. For example, one key control for any kind of remote access would be multi-factor authentication to validate the individual.
It is important also for organisations to continuously manage who has access into their environments and systems and remove any unnecessary access, both for staff and external suppliers. In addition, robust processes and controls are needed, for example to prevent amended payments without additional authentication. Most importantly, staff need to be educated on how to spot suspicious activity so that they become a vital human firewall.
Additional security layers
Yet despite all these measures, we find that more advanced threat actors can circumvent key controls such as multi-factor authentication, where a user must enter at least two pieces of evidence before being able to access an account or machine. The answer, therefore, is to implement layers of prescriptive security controls – automated where possible – that not only limit initial access, but restrict ongoing activity, monitoring behaviours of third parties and identifying and investigating any anomalies.
In addition, companies need to define and implement effective responses in the event of an attack or systems failure. If we assume that breaches will happen, it is vital to have an effective incident response plan in place. The challenge is not only to detect and shut down incidents, but also to communicate with the relevant partners, organisations and customers. The General Data Protection Regulation makes this even more important given the financial and reputational implications.
It is increasingly important for suppliers to understand that through a new business relationship they also inherit their customer’s threat profile. They should therefore assess their level of cyber resilience against a combined threat landscape and not just their own.
More widely, supply chain and partner assurance models have tended to be paper-based, involving a process of answering questions about cyber security policies and procedures. In reality, this doesn’t necessarily produce an accurate or up-to-date view of how effective the company is at mitigating risk against an evolving threat landscape.
To more accurately assess and validate a company’s cyber security posture, there are ways to take proxy measures of effectiveness, such as public domain intelligence or whether it has suffered an attack or a breach. However, while this kind of intelligence can be used to gauge how well suppliers might be managing their risks, it should not be used as a standalone measure.
We are currently seeing larger organisations and regulators wanting more proactive and comprehensive assurance of suppliers – especially in relation to business-critical systems and information. This could involve bringing the supplier into wider supply chain incident simulations and exercises, or contractually enforcing technical reviews by independent third parties if they are found to have a breach.
Remember, nothing and no-one is infallible and determined attackers will not give up easily. Companies under the impression that they have nothing worth taking need to understand that they might be a stepping stone to a more lucrative target. Ultimately, we are all part of someone’s supply chain.
Digital Vision for Cyber Security 2
Atos’ Digital Vision for Cyber Security 2 brings you insights into the latest challenges and opportunities for business leaders and influencers – and the critical role of cyber security to underpin transformation and vital trust in our digital society.