The dark side of outsourcing: How to prevent the rise of supply chain attacks

It’s an increasingly familiar scenario. A highly regarded company providing a popular online service has revealed that it has become the victim of a data breach. Cyber ​​attackers have stolen customer names, phone numbers and credit card data, and there’s little that can be done to remedy the situation.

Well-known companies like DoorDash, Plex and LastPass have all recently fallen victim to third parties supply chain attack, but they are certainly not alone. According to “Stamping the Water: State of Cybersecurity and Third Party Remote Access Risks” — a report of more than 600 US security experts in 5 industries published by Poneman Viện Institute — third-party attacks have increased from 44% to 49% since last year.

The actual number of attacks is likely higher, as only 39% of respondents expressed confidence that a third-party collaborator would notify them of the breach. To prevent the proliferation of such attacks, we need to take a close look at the market conditions and cultural factors that drive these trends and why so many companies aren’t implementing solutions. modern to meet the challenge.

Hacking Heaven: Rapid Digital Transformation Plus Outsourcing

So what’s behind this increase in supply chain attacks? In two words: Cultural change. Many industries that used to work offline are entering the digital age with the help of SaaS and cloud technology, a trend that has accelerated due to the pandemic and the shift to remote working. As companies rush to modernize their systems, malicious attackers see perfect targets.

Add to that another market trend: Outsourcing. About 20 years ago, it was unheard of for organizations to outsource control of a core business, but as industries undergo digital transformation and simultaneously deal with labor shortage, thanks in part to The Great Resignation, that reliance became much more common. third party vendors and service providers.

While moves to leverage third parties for efficiency and agility, and to leverage cloud technology to bring new, compelling value to the market, are not decisions in and of themselves. bad luck or development, but that means the attack surface for malicious hackers is almost exponential.

Today, IT professionals tasked with resolving third-party breaches are feeling the heat. Companies are improvising with varying degrees of success, sometimes creating more holes while trying to fix others. Despite good intentions, most organizations have made no progress in third-party security over the past few years, and they pay a heavy price for that.

As Poneman reports, the cybersecurity breaches leave a huge financial dent: More than $9 million to repair. Most companies have fallen asleep when it comes to third-party supply chain threats.

Hope is not a strategy: Failing to address third-party security threats

IT departments face the need for more sophisticated security strategies to deal with third-party threats, but many companies have not invested in the tools or staff needed to ensure that they are secure. secure remote access and third-party identity.

According to research by Poneman, more than half of organizations are spending up to 20% of their budget on cybersecurity, yet 35% still see budget as a barrier to strong security. Companies are also resistant to investing in the right technology solutions. For instance, 64% of organizations still rely on manual monitoring, which takes an average of seven hours per week to monitor third-party access.

Furthermore, 48% of the respondents in Poneman’s study also lacked the skilled staff needed to support technology solutions. There is a clear correlation between the number of experienced employees a company has and its security situation. To be successful, you need both the right technology and the people to use it effectively.

Hope, blind trust is not a strategy

In addition to investment delays, many organizations’ cybersecurity programs have fallen behind. Proper action was not taken to secure remote access, which resulted in too many third parties accessing the intranet without any supervision.

A full 70% of surveyed organizations reported that third-party breaches came from granting too much access. However, half did not monitor access at all — even to sensitive and confidential data — and only 36% had access to documents by all parties. They simply take a “hope it doesn’t happen” approach, relying on contracts with vendors and suppliers to manage risk. In fact, most organizations say they trust third parties to provide their information based solely on business reputation.

However, hope and blind trust are not strategies. Many bad actors play a long game. Just because vendors aren’t currently disrupting your system doesn’t mean hackers aren’t engaging in malicious activity undetected, crawling, and studying workflows later.

Not all companies have ignored the threat. The healthcare industry has become a leader in solving third-party issues Security vanity because of the need to comply with audits of regulatory bodies. Unfortunately, the audit process that originated in the healthcare sector and has been adopted by other industries has not resulted in widespread improvement.

Faced with the ongoing challenge of addressing third-party security breaches or the more viable goal of passing audits, many IT departments focus on the easy win. They are still one step behind hackers, trying to clean up after breaches instead of stopping them.

From catching up to leading: Five strategic steps to stop third-party threats

Despite the worrisome prognosis, there is good news. There are ways to mitigate damage from third-party attacks and start preventing them. Recognizing the need for proper management is the first step. Instead of hoping for the best, companies must commit to substantial research and investment in tools and resources. They can start by taking some basic strategic steps to stop threats in the supply chain.

• Inventory all third parties that have access to the network. Identify and rank the risk level for sensitive information and insist on recording all network access. Half of today’s companies don’t have enough visibility into people and business processes, meaning organizations don’t know the level of access and permissions in a given system. A fundamental principle of security is that you cannot protect what you do not know.
• Armed with the knowledge of who has access to what information, assess permissions, then provision and de-provision what is needed. Replace open access with zero-trust-based access controls and rigorous monitoring procedures. Reduce infrastructure complexity and improve internal governance.
• As you make tough decisions about granting access, consider both the risk and the value each and every provider brings. Prioritize securing access to your most important vendors, working your way through less important third parties.
• Please note that when limiting access to vendors and vendors, there may be some feedback as they initially feel they are not as trusted as they used to be. Ensuring that key suppliers feel respected while changing the status quo can be a type of dance or negotiation. Parties can be made to feel inseparable from a business standpoint, even if stricter security measures are maintained.
• Finding the resources and staff to implement these changes is critical. Some companies may choose to reallocate IT to pay new employees. If starting from scratch, appoint someone to oversee third-party management, giving that person the authority to implement a third-party access risk management program.

Whatever action an organization chooses to take, it is imperative to start as soon as possible. Companies can wait several months to a year before they start seeing measurable results. However, with the investment of time, energy and resources, it is not too late. Smart, proactive organizations can turn risky connections with third parties into healthy, secure relationships with trusted vendors and suppliers. They can stop playing catch and start leading the pack.

Joel Burleson-Davis is senior vice president of global network engineering at Imprivata