Protect your Supply Chain with a Third-Party Risk Management Program

Over the last 20 years, technology advancements, globalization and the Internet have revolutionized business practices and efficiency. Supply chain management is one of the areas that has benefitted most, as companies can now work with suppliers and business partners around the world. The bad news is the same holds true for cybercriminals and their networks – the Deep and Dark Web. The level of sophisticated attacks keep increasing year over year, regardless of a threat actor’s motivation. The sheer amount of data being compromised is mindboggling, and no industry is exempt.

As businesses continue to pivot to highly networked and outsourced supply chain models, they are exponentially growing their attack surface, allowing cyber criminals to leverage these new avenues of compromise. Capacity building within the criminal undergrounds has been the rising tide, and this has lifted the skill sets of threat actors that sail within them. We see the level of sophistication in the tools they are deploying as well as the manner in which they target vulnerable supply chains and third-party partners.

Modern day supply chains are overwhelmingly dependent and complex, with simple supply chain risk management (SCRM) strategies woefully insufficient. We witness this through highly effective attacks on businesses and government entities, which seem to have become almost a norm. Cyber attacks are now no longer an exception from the norm, and some SCRM experts have started to introduce and include the concept of “supply chain resiliency.” This goes beyond the critical need to manage all supply chain risks, and includes the importance of how entities withstand and recover from any attack.

In recent years, cyber criminals have found new ways of attacking larger organizations by targeting trusted third-party vendors with fewer security controls. This allows threat actors to exploit sensitive information and operational supply chains. In 2013 and 2014, the Target and Home Depot breaches painfully highlighted the risk of third-party access to enterprise infrastructure, when stolen vendor credentials were used to breach their networks. In 2015, information and operation supply chain attacks against government, private industry and critical infrastructure increased. This rise indicates a clear proof of how advanced threat actors are evolving and increasing their level of targeting sophistication to identify and attack critical – or weak – links in the chain.

More recently, we have seen the U.S. Office of Personnel Management (OPM) breach, where 22 million records including sensitive background data of former and current federal employees, contractors and military personnel were compromised, serving as another example of advanced threat actors mapping OPM’s information supply chain to then breach a contractor, KeyPoint Government Solutions. With the contractor’s stolen credentials, they were able to island hop into the OPM system.

However, such attacks are not limited to cyber espionage groups focusing their efforts on government. Over a five-year period, three news wire services – Business Wire, Marketwired and PRN – were systemically attacked by cybercriminals. Cyber criminals gained access to more than 150,000 confidential corporate press releases and fraudulently traded on 800 of them for a $30 million profit. These breaches highlight that information supply chains are not just vulnerable to island-hopping tactics but have become primary targets for the diverse data they store for upstream and downstream third-party partners.

Operation supply chains are equally vulnerable to cyber attacks. Multi-vector and multi-stage cyber attacks, utilizing destructive malware on two Ukrainian power facilities that resulted in power outages in 80,000 homes, was initially reported as an isolated attack. However, Trend Micro senior threat researchers investigated the matter further and identified two other energy supply chain partners, rail and mining companies, who were also attacked by the same threat actors.

To manage this growing risk, businesses need to develop or improve their third-party risk management program. This includes the following five crucial steps:

So, when protecting your organization from cybercrime, you need to expand the security evaluation to your whole supply chain. It is important to manage all possible risks along your supply chain – but it is equally important to think of “supply chain resiliency,” to understand how third-party vendors will withstand and recover from any potential attack. Remember: it is not a question of “if” you will be part of an attack, but “when.” And the attack might come through a trusted partner of yours.