The escalating attacks against the digital supply chain have largely targeted third-party vendors and suppliers. While it’s not a new trend, it demonstrates that threat actors have learned how to weaponize trust in the company’s partners, even including security partners. Every organization entrusts critical data to multiple layers of vendors, so security leaders must learn how to solve the growing challenge of third-party risk.
The SolarWinds, Kaseya, and Log4J attacks illustrate the far-reaching implications of a compromised supply chain, particularly in security vendors. While those attacks were wake-up calls, organizations have not fully accounted for them when considering supply chain vulnerabilities. CISOs need to prepare for the growing weaponization of trust.
Due diligence in a complex supply chain
The 2022 World Economic Forum (WEF) report found that attacks on digital supply chains impacted 40% of surveyed organizations in the past two years, while 88% of organizations complained about the resilience of their small and medium-sized vendors. These attacks are costly—IBM Security’s Cost of a Data Breach Report shows that supply chain compromises cost an average of $4.46 million, 2.5% more than the $4.3 million average of all data breaches.
Today, application programming interfaces (APIs) are also of a special concern because many technology teams rely on them heavily, but do not integrate and manage them securely. Salt Security researh shows that about a quarter of surveyed organizations use twice as many APIs as they did the previous year, and 95% of surveyed organizations had an API-related security incident in the past 12 months while API attack traffic grew by 681%.
Board members, executive team members and CISOs must scrutinize their partners as part of routine due diligence. They understand they have much work to do — 54% of business leaders and 61% of cyber leaders believe third-party partners directly connected to them are less resilient than their own organizations, according to another WEF survey.
The complexity of the multiple layers of vendors and suppliers limits visibility. Let’s say an organization entrusts a specific partner to process its customers’ personally identifiable information (PII), and has done its due diligence to assess that partner’s security posture. The partner relies on another vendor, which has its own vendors, and so forth. It's the organization’s responsibility to ensure data privacy and security, but with the dispersion of the PII flowing through a third, fourth, or fifth party, how can the CISO possibly know that every partner down the chain has conducted due diligence with the same rigor?
In most situations, CISOs do not have true visibility into the security practices of providers, relying instead on those third parties to complete lengthy questionnaires. Independent certifications, such as ISO 27001 or SOC 2, give some reassurance, but they only measure specific performance areas, offering only a partial view of the vendor’s security posture.
As cybersecurity professionals, we know these issues are an industrywide problem. But so do our adversaries — and that’s why they make it a point to exploit the weaknesses in partner trust.
Reduce risk via vendor consolidation
To help reduce third-party risk inherent in reliance on security suppliers, many organizations are consolidating their vendors, improving visibility, operational efficiency, and effectiveness. CISOs are building stronger relationships with their A-list vendors and have fewer solutions for their team to manage and learn.
While vendor consolidation has many benefits, relying heavily on any one partner has its own set of risks. A disruption at that provider has big implications for the security operations of partners. To mitigate this risk, organizations need to boost their resilience across vital systems and processes.
Critical resources — the crown jewels — need a much higher level of protection. When consolidating vendors, CISOs cannot rely only on those platforms to protect sensitive data. Rather, they must assess their environment to ensure that they protect all aspects of the company’s sensitive data. This includes a review of their own internal systems and processes.
Adversaries continue to display endless creativity for getting inside targeted organizations. Take the latest wave of attacks on identity and access management technologies, such as multi-factor authenticators and password managers. Threat actors have learned how to deal with enhanced authentication practices, making the supply chain their attack vector once again.
These trends tell us the weaponization of trust will escalate and become a common tactic. Security leaders need to assess their third-party relationships and think through the areas that require more security layers. While it’s not easy to resolve supply chain security, by boosting their resilience, organizations can more effectively protect against the inevitable attacks.
Lucia Milică Stacy, Global Resident CISO, Proofpoint.