Avoiding the Risk of Supply Chain Compromise

Supply chain attacks remain one of the largest threats, leading to significant data breaches and increasing the potential for harmful business interruptions.

In today’s modern world, businesses are heavily reliant on highly complex and interconnected back-office supply chains to operate.  Anyone organisation may have hundreds of links to third-party service businesses tasked with carrying out important key functions on their behalf, i.e. for payroll, pensions, information processing, telephony, and business systems.  But what happens when one of the links between your company and an external provider of business services is compromised by a cyber-attack? This is a supply chain compromise, and be under no illusion, there are ongoing attempts by malevolent actors whose intention is to breach and take advantage of these links, and just one successful attempt can place your organisation in considerable jeopardy.  According to Symantec, supply chain compromises are believed to have doubled, but given this only reflects those officially recorded, the true increase stands to be much greater.

Managed Service Providers – an attractive target for cybercriminals

It is the function of managed service providers (MSPs) to handle core business functions on behalf of their clients.  Their range and depth are almost unlimited, and with the explosion of cloud-based services, is growing exponentially.  Some MSPs provide a wide range of services, whereas some specialise in a single function, but the common thread is that they all have connections to their clients, and those are at risk.

In 2017, one of the most high-profile supply chain compromises involved malware with the codename ‘NotPetya’.  In this attack, Russian hackers infiltrated a Ukrainian accounting vendor, so that when client software updates (patches) were carried out, the malware infected the machines of those customers – thereby placing their data at risk of being breached.

And there have been many other such cyber-attacks involving the compromising of MSP’s.  A well-known and pervasive cyber security threat was identified to have successfully targeted and compromised a large number of global MSPs last year, resulting in them gathering commercially sensitive data from both the MSP and their clients.  So concerned are the governmental security agencies, they are issuing alerts to this effect.  Only this month, the United States of America’s Department for Homeland Security’s National Cybersecurity and Communications Integration Centre (NCCIC) stated it is “aware of ongoing APT [Advanced Persistent Threat] actor activity attempting to infiltrate the networks of global managed service providers (MSPs).”

Managed service providers are not immune to ransomware attacks which have double in 2019, high-profile companies are increasingly being devastated by cyber-attacks that cause financial losses and that damage their brand reputation.

Mitigating the risk of supply chain compromises

It is important for MSP clients and MSPs themselves to work together to ensure the necessary security is in place, including any potential vulnerabilities, detection, mitigations, and all associated processes.  According to cyber security industry best practice from the UK’s National Cyber Security Centre (NCSC), some of the steps that should be actioned to avoid a supply chain compromise include:

1. Understanding the risk: this means clients of MSPs should seek to understand the security of their suppliers and identify potential risks.
2. Establishing control: rather than waiting for MSP’s to take responsibility for the security of your managed service, agree with them the security arrangements to be put in place, report incidents, ensure you meet your own security obligations, and, in general, be an active player in ensuring security across all of your suppliers.
3. Implementing checks: put in place regular periodic checks and tests to ensure the level of security required, and the associated protocols and processes are being followed.
4. Continuous improvement: Due to the fluid nature and rapid pace of technological development, it is essential that your supply chain security is reviewed continuously, and this is done in close conjunction with your suppliers.

Immature security practices are creating serious gaps and driving higher incidents of insider threats. Symantec research found that 65 percent of organizations neglect to implement multi-factor authentication (MFA) as part of the configuration of IaaS and 80 percent don’t use encryption.

By client businesses of MSPs taking proactive steps to ensure the necessary cyber-security is in place as best as possible, MSPs by virtue will be required to meet the demands for more secure infrastructures.

In summary
Supply chain compromises are a growing and genuine threat to businesses, and the greater the reliance on MSPs to provide essential business service functions, the greater the number of potential ways in which your organisation can be compromised.  It may be that services on which your business rely are cut-off during an attack, or confidential data may be breached – either way, the cost to your enterprise can be substantial, from the perspective of cost and reputation. By taking an active role in ensuring your infrastructure and data is secure, regardless of how many MSPs you work with, you can ensure they all meet the standards you require.

And, as is often said by experts around the world, human error tends to be the biggest threat when it comes to data security. Which also means that any business, large or small, can face challenges like this. – artificiallawyer

With the growing threat of domestic and overseas state and non-state cyber threats – the time to act is now.