Recent cyber breaches have made the dangers of third-party risk clear. In an exploit known as the SolarWinds attack, suspected Russian hackers gained access to multiple United States Government agencies and up to 200 private companies.
How? Through vulnerabilities in third party software systems they used such as Microsoft, SolarWinds and VMware. The attackers enjoyed access to their targets for several months and the compromise was only exposed late last year.
Closer to home, the New Zealand Reserve Bank faced a similar situation last month. A vulnerability in software provided by an international vendor led to a system compromise potentially exposing commercially sensitive and personal information held by the bank.
These incidents highlight an important and growing challenge for every organisation. While most businesses focus on their own risk management including systems, people and processes, any third-party application you use is a potential back door for hackers to stroll through.
With supply chain attacks like SolarWinds and the Reserve Bank, hackers simply look for weak links to exploit in supplier networks, eventually slipping into your systems regardless of how protected you are.
The perhaps mind boggling and certainly frustrating reality of these attacks is that suppliers are generally a diverse set of organisations. Some are ‘high technology’ providers like Microsoft. Others deliver relatively unsophisticated but nevertheless essential products and services, from coffee to cleaning.
Any one of these suppliers can serve as a vector for a cyber-attack.
It gets worse. Third party risk can extend to websites popular with employees. For example, an attacker may note that staff members routinely visit a particular site. In this ‘watering hole’ attack the site is infected with malware with the expectation that sooner or later a visitor from your company will pick up the virus.
Attackers know most organisations use a host of smaller suppliers to provide services, and they are looking for the one that has the worst security and best access to your systems.
The key lesson from the SolarWinds and Reserve Bank supply chain attacks is that your cyber defence horizon needs to expand, regardless of how large your business is.
Combating third party risk is challenging. There are many moving parts and the point at which an attack might originate isn’t always obvious.
You can create resilience in your supply chain by using as small a supplier base as possible – fewer third parties automatically reduce risk. Stringent vendor controls are difficult to enforce but provide assurance of uniform security.
Where your organisation runs its own software, security features should be designed to detect any unauthorised access. Good practical measures extend to using checklists for third party suppliers to ensure they have basic cyber security in place.
But every company, regardless of size, should follow basic best practice security hygiene, which comes at truly little cost. This includes actions like:
With third party risk, the simple reality is that your security is no longer about an internal weakest link. Even if the weak point originates in one of your suppliers, it still falls to you to take every practicable measure to keep your data safe. cyber breaches have made the dangers of third-party risk clear. In an exploit known as the SolarWinds attack, suspected Russian hackers gained access to multiple United States Government agencies and up to 200 private companies.