The COVID-19 pandemic has been a driving force in digital acceleration, and it continues to wield its influence in how organizations and their staff embrace work. In the push to accommodate remote and hybrid work models, enterprises have ramped up their use of cloud-based services to maintain connectivity and continuity within their workforce.
As the number of commercial relationships have ballooned, so have the attack surfaces and risks of compromise for companies. Recent cyberthreats have highlighted security gaps in the software supply chain, and enterprises must take a closer look at their third-party due diligence processes to ensure trust and security.
Organizations eye their software supply chains warily
In a recent survey conducted by the Neustar International Security Council (NISC), 76% of security and information technology professionals worldwide cited software supply chain risk as a top security priority, and fully 77% attributed the increased rigor of due diligence processes they have in place for external managed service providers to the Log4j vulnerability and other prominent attacks against software and service providers. The nature of Log4j — a ubiquitous open-source library often buried so deep in a stack that some organizations don’t even know they use it — illustrates how enterprises are challenged to identify and address every security gap or weakness.
With increased integration comes a greater risk of exposure for organizations and their customers but cutting loose third-party service providers isn’t an option. Two in three respondents said their organization is more reliant on third-party service providers now than before the pandemic. And while most security decision makers said they are confident in their organization’s ability to respond should a critical service provider experience an attack, nearly three in ten either lack confidence in the contingency plans they have in place or simply don’t know what a response would entail.
Beyond IT security: A business continuity issue
Bad actors are quick to exploit vulnerabilities, and it only takes a brief lapse in vigilance to fall victim. For instance, hardware or software provided by a third party could harbor malicious software, and due to the trusted partner relationship, the normal perimeter of defense mechanisms is circumvented. Allowed free passage to a company’s network, bad actors can then move laterally within and exploit user privileges to gain access to sensitive information for monetary gain or to wreak havoc.
Given that attacks on critical partners could disrupt business continuity and place an organization and its customers at risk, ensuring the integrity of supply chain partners is of paramount importance. Vetting partners appropriately is critical; organizations must be able to trust that not only will partners operate or deliver to specifications, but also that they will not introduce any new vulnerabilities to the environment.
Steps toward a secure supply chain
A good starting point for upping your software supply chain security is a comprehensive audit. Organizations should evaluate each vendor relationship, taking note of three main areas where issues most frequently arise: the type of data transfer that occurs between the vendor and enterprise, the type of access vendors have to enterprise systems, and the systems or software that vendors are installing on the enterprise network. From this baseline knowledge, organizations can prioritize partners for more in-depth scrutiny.
Organizations may need to spend more time assessing partners with a higher level of enterprise integration and access. For such cases, it may be reasonable to require regular audits or assessments, including those carried out by impartial third parties, at multiple points throughout the year. Additionally, enterprises may want to conduct a higher level of monitoring of their most critical partners’ security programs. For potentially greater transparency and efficacy, it may be advantageous to enter collaborative exchanges and work to share information about attacks and remedies.
Ultimately, supply chain partners should be accountable for maintaining security standards that are as rigorous as those adhered to by the enterprise itself. These standards should be spelled out in contractual agreements, and key components should be addressed in accompanying standardized information gathering questionnaires.
Even with the adoption of industry-recognized standards and protocols, such as SSAE-16 and PCI-DSS assessments, enterprises must be aware that they are not bulletproof. Threats — and the opportunities for cybercriminals to follow through — are constantly in flux, and contingency plans are part of security efforts. Having a Plan B option is vital in any case, but especially for instances in which an enterprise has no clear or readily available alternative should a critical partner be taken offline.
Security experts have long preached the need for a multi-layered approach to security that encompasses the basics – having a thorough, planned approach for implementing software patch updates and fixes, carrying out frequent vulnerability and penetration testing, and ensuring regular updates to data backup systems are made – and incorporates best practices for security hygiene in key areas like DNS management and security, DDoS defense, and managing application vulnerability exposure including having a WAF in place. Organizations have largely taken these measures to heart, but they now must think beyond themselves and ask whether their trusted partners are also measuring up to the same ideals.
Maintaining trust requires transparency, collaboration
Modern business is inextricably interconnected, and no industry is immune to the cyberthreats posed by bad actors. Personal information and financial assets will always be targeted and building a strong defense will require close collaboration across the supply chain. Only by providing a clear picture of their security systems, protocols and even weaknesses can third parties engender trust in their enterprise partners. Information is powerful, but it must be accurate and complete for organizations to act upon it and make the best decisions that protect themselves and their customers.