A recent Venafi report found that 82 percent of chief information officers believe their organizations are vulnerable to cyber supply chain attacks and their associated risks—data theft, business interruption, revenue loss and user damage.
As the supply chain has grown more complicated with more and more companies outsourcing their software and service needs, the risk surface has only widened, making it increasingly challenging to assess the cybersecurity posture of third party providers.
We talked to Jason Rebholz, Chief Information Security Officer of Corvus Insurance about the disruptive technology in the supply chain, preparing for business interruption, and creating a relevant incident response plan.
Why are supply chain attacks a concern for companies right now?
Modern companies rely heavily on external technologies to power their business. Security risks extend beyond just your own environment and into the vendors and technologies you rely on for day-to-day activities. It’s difficult enough for organizations to secure their own environment, let alone manage risks associated with third parties.
What are some of the vulnerabilities that lead to a supply chain attack?
Supply chain attacks come in many shapes and sizes. For tech companies selling software, this can be unauthorized code changes that are then shipped to their customers. SolarWinds is the prime example of this type of supply chain attack. In the case of Managed Service Providers (MSP), attacks against their environments can compromise all of their customers.
Supply chain attacks extend to hardware as well. A prominent example of this is the Chinese espionage against the United States where a malicious computer chip was inserted into computer components. The modification would allow for the future compromise of the computer system. These examples clearly show the difficulty in detecting and protecting against supply chain attacks.
How can companies prepare for supply chain disruptions? What steps need to be taken to assess and address cybersecurity readiness?
Every security program should include mechanisms that mitigate the blast radius of an attack. A zero trust approach provides a map for organizations to help contain security incidents and the risk of supply chain attacks.
Protecting against supply chain attacks is just one component—managing supply chain outages is also critical. Organizations should implement business continuity plans that address outages of critical outsourced technologies, such as cloud platforms like Amazon AWS or Microsoft Azure. Attack mitigation and resilience should be the primary focus of organizations to manage today’s security threats.
Once there is an attack, how can a company minimize the business interruption?
The adage “an ounce of prevention is worth a pound of cure” is important here. Understanding your risks ahead of time helps you respond faster. Organizations facing a business interruption must quickly make a choice—recover or reroute services.
Recovering third-party services may be outside of your control. In situations where your MSP is attacked with ransomware, companies are forced to watch a ticking clock waiting for the MSP to recover.
In other situations, organizations can take proactive steps to divert their services to other companies or backup services. The key decision for businesses is which will be faster and more cost effective to resume business operations. The answer to that will dictate how to best respond.
Is there anything else you want to add that our audience should know?
Prepare when you can, not when you have to. Businesses should assess their third-party risk today. Identify your critical vendors and technologies—the ones that you can’t operate your business without. For each identified asset, develop a security roadmap that identifies how to mitigate attacks originating from them and your business continuity strategy if that asset were to disappear tomorrow. These exercises, when documented and planned for, can help turn a disaster event into a minor inconvenience. After all, that is the purpose of a security program.
You can learn more about Jason Rebholz and Corvus Insurance here.
NetDiligence has been helping businesses evaluate and assess their cybersecurity posture for years. If you are unsure about your own cybersecurity posture, be sure to inquire about our QuietAudit® Vulnerability Scan Testing.
Our cyber assessments lead the industry in accuracy and can identify 6000+ vulnerabilities that hackers exploit, including unpatched, non-hardened or misconfigured externally-facing network servers and devices.
Contact us today and get the support you need to detect and address any short-comings in your network before it’s too late.
