Supply Chain Risks: It’s Everybody’s Business

Posted by Vito Nozza on Jul 20, 2021 10:00:00 AM

There is an old saying that states, “Take care of your house and let others worry about theirs.” This might be valid in the pre-internet world, but with so many dependencies and relationships that have been created between partners and third-party suppliers, the “trust but verify” motto has become commonplace—or has it? Companies are only as strong as their weakest links. Creating a strong cybersecurity program internally is not enough, as the program should include all aspects of business in which data is vulnerable.

Risks in Dealing with Supply Chain Partners

When discussing supply chain partners, there is a large group of entities that contribute to the success of a company. These include cloud partners, manufacturing partners, service and support companies (whether they be physical environmental support), software support, daily network operations, and human resource support. Businesses depend on trusted relationships with these third-party suppliers and service providers.

The common theme with the threats that come from these entities is that they are no longer coming in from the front door. Instead, they are taking advantage of backdoor vulnerabilities. A solid cybersecurity program may have been created within your company, but what about your key suppliers that access your system? Smaller companies that are contracted by larger enterprises are often targeted because they are more vulnerable due to a lack of due diligence and a proper security plan. A company that provides specific niche products—perhaps supplying vital goods or services—may have access to important information while only having a very immature approach to data security.

As we have seen in cyber-attacks of late, software solution providers have been victims to attacks and then passed those risks on to their clients. Service and support companies that assist companies in daily IT tasks are the biggest risks, as attackers use their connectivity nature to various-sized and industry-based companies to exploit threats and attack vectors.

Finally, and probably the most affected areas for any type of risk (especially supply chain), is the lack of awareness among employees. Employees need a proper education on data security how to handle sensitive company information. They need to adopt a mindset that if something looks fishy, it probably is—no pun intended on phishing attacks.

How Did These Incidents Affect Companies?

Nation-state hackers and their attacks have increased steadily between 2010 and 2019. However, a sharp increase was noticed in 2020 due to the changing work environments that were adopted due to the COVID pandemic. These attacks included attempts to access national security targets, large-scale enterprises, and overall critical infrastructures (including healthcare, financial, and natural resources), all with vulnerabilities through third-party and supply chain outlets.

A recent massive data and systems breach incident exposed just how weak some federal and military cybersecurity processes really are, and exactly how dangerous they can be. The UD Department of Homeland Security, US Department of State, the National Institutes of Health, the US Department of Commerce, the US Department of Treasury, and a score of other agencies found themselves scrambling to investigate and contain attacks that were perceived to originate from Russian cybercriminals.

Companies that deal with a major software supply chain provider (which are most businesses on earth) came into the spotlight when a flaw in the code of on-premises server software created openings for bad actors to slip through. These attacks were found to originate from Chinese state-sponsored threat actors. The attack affected 30,000 organizations in the United States and countless others around the globe. The attack showed the dependency and lack of due diligence on software that had been released to the public without going through a proper DevSecOps program lifecycle.

One of the most famous attacks that occurred from a supply chain vendor, which has now become the constant example of how it all started, is the Target breach of 2013. Target employed many contractors to support their business and one in particular to monitor and maintain their heating, ventilation, and air conditioning (HVAC) systems, who was not keeping with the same security posture baseline that Target had deployed. The HVAC company accessed Target’s HVAC systems remotely without proper encrypted access, essentially passing credentials in cleartext. This vulnerability opened a risk that… well, history shows. It allowed hackers to steal credit and personal information of well over 70 million clients.

At ConvergeOne, we have assisted clients in conforming to a security program that protects their assets from being compromised, whether they exist on-premises or in the cloud. We determine what supply chain risks exist and how to work with partners to create a holistic, stable cybersecurity ecosystem. Some mitigative approaches include:

  • Create an incident response team (IRT) that can create scenarios and determine how to handle a crisis that occurs. This team can respond, contain, and eradicate the threat.

  • Train your employees to follow security procedures and educate them about the risks.

  • Perform assessments and obtain audit reports from your third-party partners. Ensure due diligence has been followed. This could include Asset Risk Assessments, Gap Assessments, and/or Cloud Audits.

  • Expand data visibility into the cloud and beyond your network perimeter. Being proactive about data that is entering and leaving your environment is key to stopping possible attacks.

In closing, third-party services are here to stay. They offer countless benefits for organizations looking to increase efficiency and offset workloads that don’t directly contribute to whatever their core missions may be. The issue remains that security controls are weakened when they are beyond your internal perimeter. There is a sense of trust that needs to be developed with your partners; however, that also leads to vulnerabilities if security controls are not being maintained throughout. Therefore, it’s important that you trust but verify that security programs are being adhered to across the chain. This is everybody’s responsibility, from government entities, companies, suppliers, and ultimately the customers. We are all responsible for our security and need to ensure that compliance is being followed.

I guess that old sayings can be changed. It’s not just about minding your own business; it’s about understanding who is accessing your data and where.

On-Demand Cybersecurity Webinars

Watch the following webinars at your convenience and learn how to keep your organization
from being the next victim, all while improving your overall security posture.

  • ConvergeOne 2021 National Cybersecurity Summit
  • Protecting Our Customers: The Rise of Zero Trust Security
  • Ransomware Readiness: Prevention, Detection and Recovery
  • Five Steps Toward Proactive Cybersecurity for Contact Centers
  • Solutions for Cloud and the Risks That Come With It

Access These On-Demand Webinars

Topics: Security, Cyber Security, Cyber Awareness, Ransomware


Vito Nozza
Vito Nozza  -- Vito Nozza is the Principal Consultant, Cyber Security Lifecycle Consulting in ConvergeOne’s National Cyber Security Practice. His career spans 20+ years in Enterprise Architecture, with 15 years specific to Cyber Security. He has held roles as a CTO, Director, Principal Architect and Global Security Advisor, which have all led to establishing guidance and consultative measures to SME and Enterprise-grade entities. Vito has been paramount in establishing cloud security, guided frameworks and disaster/incident response plans, with overall GRC and ERM goals.