As companies of all kinds look to build trusted relationships with their customers, cybersecurity due diligence is rapidly taking on greater importance — and complexity. While potential customers have long vetted vendors and partners based on their security processes and priorities, the conversation no longer stops at “What will you do to protect my data?” Prospects are increasingly (and rightly) asking, “What are you doing to ensure that the providers you work with won’t create risk for my business?”
The supply chain threat
Several recent large-scale supply chain hacks have highlighted the risks posed by external partners, with cybercriminals exploiting trusted relationships and using third-party access points to penetrate wider networks.
Last year, for example, sophisticated hackers injected malicious code into SolarWinds’ Orion network management software, compromising its customers’ data and systems when the malware was subsequently distributed by SolarWinds via platform software updates. The malware was able to infiltrate system files using Orion’s privileged access, blending in with legitimate network activity to evade defenses and avoid detection by antivirus software. The data of SolarWinds’ customers was potentially exposed as well, further expanding the impact of the attack, which ultimately affected thousands of enterprises and government agencies.
Then in July of this year, the REvil ransomware gang executed a supply chain attack against IT solution provider Kaseya by exploiting a vulnerability in Kaseya VSA, a remote monitoring and management tool used by tens of thousands of enterprise customers – and favored by managed service providers (MSPs). Although less than 60 Kaseya clients worldwide were infected directly, the fact that many of these were MSPs that small and medium-sized businesses rely on led to a cascading impact, with up to 1,500 downstream organizations having their networks or systems encrypted.
Although the ultimate objective of the SolarWinds hack remains unknown, and a universal decryption key for the Kaseya ransomware hack was eventually made public, these attacks and others like them have resulted in significant disruption, repair costs and lost business for many organizations — including those several steps removed from the original target of the hack.
It’s not hard to see why cybercriminals are increasingly embracing this tactic. By carrying out supply chain attacks instead of attempting to breach each company’s defenses individually, malicious actors are able to infiltrate more victim organizations more quickly, multiplying the potential impact of an attack. They are also putting great effort into developing new ways to extort those victims – and incentivizing them to pay up.
The growing availability of ransomware-as-a-service operations make attacks easier to launch and more accessible to unskilled cybercriminals. Many attacks look to further squeeze victims through double extortion tactics – where they steal data during a ransomware attack and threaten to leak it if the ransom isn’t paid. Some even boast sophisticated customer service operations that can help walk victims through the process of acquiring the necessary cryptocurrency and delivering payment. Between the added layers of threats and streamlined process to make the problem go away, many victims simply opt to pay up. Taken together, these factors mean there is little prospect that these threats will let up.
Surveys show that an overwhelming majority of cybersecurity professionals are concerned about their MSPs being hacked. In a recent Neustar International Security Council study, less than a quarter (24%) of cybersecurity decision makers were very confident in the safety barriers they had in place to prevent trusted third-party contractors from violating security protocols.
Obviously, the more digital links you have to your organization, the more opportunities you present to malicious actors seeking to infiltrate your systems — but the number of third-party service providers organizations work with will inevitably continue to rise as businesses embrace additional digital technologies to further increase their efficiency and better serve their customers.
Strengthening your defenses
What can you do to protect yourself — and your customers — in this increasingly interconnected world? Following are three best practices.
Start with what you can control directly, and that means regularly testing security processes and constantly monitoring for threats, utilizing relevant threat data to help your teams make sense of all the alerts generated by the various security tools. To make the smartest use of your security budget, you’ll want to strategically select best-of-breed technologies that provide 24/7 monitoring and protection and regularly scan patches for vulnerabilities. Working with vendors that specialize in cybersecurity is more efficient and cost-effective for most organizations than developing home-grown tools.
You can’t rely on your security team alone to keep your business safe from cyberattacks. Humans are usually the weakest link in cybersecurity plans, so make sure you dedicate the necessary resources to educating all your employees on how to prevent and identify threats. In today’s rapidly evolving threat environment, security must be a fundamental priority for every business. Shifting to a proactive security-by-design strategy should be the ultimate goal, and this will require buy-in and involvement at every level, from the C-suite to summer interns.
Assess the security policies of your trusted partners – and work with them to ensure they are doing the same with the third-party partners they work with – to make sure they align with your own priorities. Your MSPs should, for example, have appropriate security controls in place; provide consistent monitoring and logging of systems, activities and connections to your network; and commit to notifying you of any confirmed or suspected security incidents involving their infrastructure. Always apply the principle of least privilege to MSPs — and confirm that they do the same with other members of their own network.
While digital technologies such as cloud computing, industrial automation and the Internet of Things can undeniably save your business time and money, you must also always keep in mind that your organization is only as secure as the least secure partner in your extended digital network. For this reason, it is critical that you not only optimize your own security measures but closely scrutinize the security policies of your third-party providers. Your business depends on it, and so do your customers.