The year 2020 exposed many vulnerabilities. We’re all well aware of the public health risk posed by close personal interactions with our network of contacts. We’re also waking up to just how vulnerable we are to cyber attacks via our networks of third-party providers.
Although supply chain risk has received increasing regulatory attention in recent years, it has been a largely overlooked area of cyber risk in general. The SolarWinds supply chain attack has brought it front and center.
SolarWinds customers rely on the company’s products and services to make sure their internal machines are up-to-date and secure — a perfect example of supply chain risk.
In the attack that came to light in December 2020, the attackers installed a back door in the company’s IT monitoring and management software. These “Trojan horses” were then distributed to the networks of thousands of customers, including many large companies and U.S. federal agencies.
What’s particularly disturbing is that the campaign went on for at least nine months — and possibly longer — before it was detected.
Assessing Supply Chain Risk
Whether or not your company was impacted by the SolarWinds attack, the growing prevalence of supply chain attacks — and the fact that they are so difficult to detect — means that every business must take this risk seriously. The more third parties have access to your data and systems, the greater the risks to the confidentiality and integrity of that valuable data and the availability of your systems.
Supply chain risk management, which is part of a third-party risk management program, has been getting more regulatory attention in recent years. A 2015 National Institute of Standards and Technology (NIST) special publication lays out supply chain risk management practices for federal information systems and organizations. Among the supply chain risks it notes are insertion of malicious software (as in the SolarWinds example), manipulation of hardware, insertion of counterfeits, tampering, and theft. Other “non-adversarial” threats include natural disasters and poor-quality products or production practices.
Supply chain risk management differs from vendor risk management. Vendor management focuses primarily on whether the vendor is financially stable and doing what they are supposed to be doing, but supply chain risk addresses the potential impact to your internal assets as a result of the security practices of those third parties.
Some key questions to ask as part of supply chain risk management include:
- Does the vendor have direct control over internal assets?
- What is the level of risk to you internally as a company if the vendor is breached?
- What controls are in place to mitigate these risks?
- How does the vendor stay current on emerging vulnerabilities?
Just about any business in any industry could be a victim of a supply chain attack. In fact, many high-profile companies have been victims of third-party compromises, from large retailers such as Target and Home Depot, to financial giant Equifax, to federal agencies such as the IRS.
Some industries that deal with more sensitive data, such as healthcare, are more risk averse and tend to keep their IT systems and management in-house rather than following the general trend of moving everything to the cloud. But for most companies, this movement from onsite to cloud-based software simply makes sense, because it puts control of security in the hands of the people who have the resources to do it.
Tighten Your Supply Chain
The increasingly complex network of software and hardware vendors on which most businesses rely means supply chain attacks are likely to continue. Rather than trying to put the genie back in the bottle, the SolarWinds hack has highlighted the fact that companies need to heighten their awareness of the risks involved.
Make sure you understand and obtain assurance regarding the level of risk to you if any vendor is compromised. If you seek to evaluate your company’s supply chain risks, our IT audit and assurance professionals are ready to talk.