Cyberattacks against SolarWinds and other widely implemented software offerings exposed a supply chain rife with exploitable weaknesses. And still, most enterprises have little insight into the plethora of suppliers plugged into their networks.
While 80% of the 1,500 technology and procurement chiefs surveyed by BlueVoyant had experienced at least one breach caused by a third-party vendor 12 months prior, most (anywhere from 71% to 81%, depending on the industry) don’t monitor all third-party suppliers for cyber risk.
The finding shouldn’t come as a complete surprise – organizations operate in networks that on average include 1,409 vendors, the report found. And the numbers vary among the six sectors BlueVoyant reviewed, with those organizations in business services managing the most vendors on average – 2,572 in all.
“Once you multiply the software supply chain by those vendors, your digital footprint kind of increases exponentially,” Austin Berglas, a former senior FBI agent and global head of professional services at BlueVoyant, told SC Media.
Often, too, monitoring is as insufficient as it is sporadic, given the proliferation of threats and the quick action of attackers.
“You have limited resources inside the organization and when you have sometimes over 2,000 vendors, it’s very hard to get your hands around and arms around" third-party risk, said Berglas. “A lot of the organizations just assess and report two to three times a day or even just yearly…which is not nearly enough. We all know companies have gotten into that sort of point-in-time compliance, and I think for years security experts have warned that's not the best place to be.”
SolarWinds drove that particular point home, elevating the importance of vetting third parties to secure the supply chain. In the parlance of the COVID pandemic, organizations learned a hard lesson on how an “infection” can lead to the infection of thousands, until the whole ecosystem resembles one giant super-spreader event.
Ensuring the health of the supply chain then rests on curbing transmission. “I don't envy them that job of trying to get on top of that,” said Berglas, explaining many organizations “are blind until the bad guy moves through the vendor and then actually into the company.”
In addition to expanding visibility into the supply chain by including the whole gamut of vendors, organizations must find more automated ways to do analysis than “turn around and basically supply vendors with risk reduction recommendations,” said Berglas.
Admittedly, it’s counterintuitive to be “proactive in supporting a company that you're paying to provide a service,” he said, “but think of the alternative if you've got a vendor that you're just kind of leaving out there in the dust. We’ve seen what happens then. They can be the downfall,” with attacks like NotPetya serving as a prime example.
Automation can help – allowing companies to process large amounts of data more quickly with minimal human intervention. “They’re expanding their assessment and monitoring programs and doing it in an automated fashion so that you have the ability with limited resources to sift through and pick what's important,” said Berglas. “You can reduce false positives, correlate the data and pick out the threats that are common amongst all the vendor ecosystems.”
Security ratings, a concept recently supported by the Cybersecurity and Infrastructure Security Agency, also can provide a way for companies to evaluate vendors’ security postures. They can “give you visibility into the overall cyber health of your suppliers so you essentially can score your supply chain,” Sachin Bansal, general counsel at SecurityScorecard.
But organizations also must develop a consolidated approach to managing risk across the organization. Berglas was surprised to find that those surveyed for the report offered “disparate answers amongst the different sectors about who owns” responsibility for monitoring and operationalizing risk assessments. Despite budget increases for monitoring vendors and reducing risk, there is no consolidated effort to manage that risk across the organization, he said.
“But it’s one of those issues in a company that can't be stove-piped; it has to be fully integrated, owned at the board level, become part of the entire business operation. It's something that can no longer be overlooked.”