• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Business   »   Protect your Supply Chain with a Third-Party Risk Management Program

Protect your Supply Chain with a Third-Party Risk Management Program

  • Posted on:March 15, 2016
  • Posted in:Business, Cybercrime, Executive Insight
  • Posted by:
    Ed Cabrera (Chief Cybersecurity Officer)
0

Over the last 20 years, technology advancements, globalization and the Internet have revolutionized business practices and efficiency. Supply chain management is one of the areas that has benefitted most, as companies can now work with suppliers and business partners around the world. The bad news is the same holds true for cybercriminals and their networks – the Deep and Dark Web. The level of sophisticated attacks keep increasing year over year, regardless of a threat actor’s motivation. The sheer amount of data being compromised is mindboggling, and no industry is exempt.

As businesses continue to pivot to highly networked and outsourced supply chain models, they are exponentially growing their attack surface, allowing cyber criminals to leverage these new avenues of compromise. Capacity building within the criminal undergrounds has been the rising tide, and this has lifted the skill sets of threat actors that sail within them. We see the level of sophistication in the tools they are deploying as well as the manner in which they target vulnerable supply chains and third-party partners.

Modern day supply chains are overwhelmingly dependent and complex, with simple supply chain risk management (SCRM) strategies woefully insufficient. We witness this through highly effective attacks on businesses and government entities, which seem to have become almost a norm. Cyber attacks are now no longer an exception from the norm, and some SCRM experts have started to introduce and include the concept of “supply chain resiliency.” This goes beyond the critical need to manage all supply chain risks, and includes the importance of how entities withstand and recover from any attack.

In recent years, cyber criminals have found new ways of attacking larger organizations by targeting trusted third-party vendors with fewer security controls. This allows threat actors to exploit sensitive information and operational supply chains. In 2013 and 2014, the Target and Home Depot breaches painfully highlighted the risk of third-party access to enterprise infrastructure, when stolen vendor credentials were used to breach their networks. In 2015, information and operation supply chain attacks against government, private industry and critical infrastructure increased. This rise indicates a clear proof of how advanced threat actors are evolving and increasing their level of targeting sophistication to identify and attack critical – or weak – links in the chain.

More recently, we have seen the U.S. Office of Personnel Management (OPM) breach, where 22 million records including sensitive background data of former and current federal employees, contractors and military personnel were compromised, serving as another example of advanced threat actors mapping OPM’s information supply chain to then breach a contractor, KeyPoint Government Solutions. With the contractor’s stolen credentials, they were able to island hop into the OPM system.

However, such attacks are not limited to cyber espionage groups focusing their efforts on government. Over a five-year period, three news wire services – Business Wire, Marketwired and PRN – were systemically attacked by cybercriminals. Cyber criminals gained access to more than 150,000 confidential corporate press releases and fraudulently traded on 800 of them for a $30 million profit. These breaches highlight that information supply chains are not just vulnerable to island-hopping tactics but have become primary targets for the diverse data they store for upstream and downstream third-party partners.

Operation supply chains are equally vulnerable to cyber attacks. Multi-vector and multi-stage cyber attacks, utilizing destructive malware on two Ukrainian power facilities that resulted in power outages in 80,000 homes, was initially reported as an isolated attack. However, Trend Micro senior threat researchers investigated the matter further and identified two other energy supply chain partners, rail and mining companies, who were also attacked by the same threat actors.

To manage this growing risk, businesses need to develop or improve their third-party risk management program. This includes the following five crucial steps:

  • Organize the relevant parties together internally (IT, legal, and procurement)
  • Identify third parties and prioritize based on risk
  • Evaluate third parties’ security posture
  • Communicate security expectations to third parties through contract and contact
  • Continuously monitor critical third-party performance

So, when protecting your organization from cybercrime, you need to expand the security evaluation to your whole supply chain. It is important to manage all possible risks along your supply chain – but it is equally important to think of “supply chain resiliency,” to understand how third-party vendors will withstand and recover from any potential attack. Remember: it is not a question of “if” you will be part of an attack, but “when.” And the attack might come through a trusted partner of yours.

Related posts:

  1. Decision-makers need to find correct approach to risk management
  2. Safeguarding the supply chain: How to implement protection
  3. Report identifies vulnerabilities in US government IT supply chain
  4. The Sixth Estate of Cyberspace: The Hacker Supply Chain

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Cloud-based Email Threats Capitalized on Chaos of COVID-19
  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, MĂŠxico
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, EspaĂąa, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.