Third Party Risk Management - Consultancy, Assessment & Advisory

Five Steps to Protect Your Supply Chain: A Board-Level Perspective

Verizon Third Party Risk DBIR 2019

Last month, the cybersecurity industry faced its latest major attack through a third-party IT management software company, SolarWinds. This breach reinforces the fragility of not only the software supply chain, but  the entire third-party vendor ecosystem. As more information comes to the surface about the true depth and  breadth of the breach, it is glaringly clear that this extensive ecosystem of vendors is the gateway for attackers to move laterally from network to network.

Over the last few years, many organisations have improved cyber defences and have succeeded in making  themselves increasingly harder targets for adversaries. However, even for these well-defended organisations, the greatest defence weaknesses now lie with their suppliers and partners who are less well protected but with whom they are highly interconnected or upon whom they rely for technology. Among too many partner  organisations, cybersecurity is an afterthought at best, despite well-documented threats, making engaging with these organisations a high-risk activity that introduces unpredictable and, therefore, unmanageable cyber risk.

Improving visibility to defend against broader attack techniques  

Gaining visibility into supply chain risk is undeniably complex. Business partners normally have limited insight  into each other’s network defenses, and minimal ability to understand and mitigate the security risks inherent  in these relationships. Industry-standard practices to date involve point-in-time questionnaires and audits that  are useful, but which offer limited context about the ongoing state of cybersecurity within partner networks.

Obtaining this context is crucial. However, to circumvent the hardening of their primary targets, hackers attempt to exploit the weaker partner and leverage the trust relationship to “swim upstream” into the better  defended, more desirable, target. While we saw a particularly effective approach to exploit the software  update process in the SolarWinds hack, it is important to understand that there are a variety of approaches  actors can take to infiltrate supply chain operations. An adequate defense needs to protect not only against  the specific techniques used in SolarWinds, but should also guard against the broader class of techniques  where an organisation can be compromised via their relationship with a poorly defended partner.

Recent research undertaken by BlueVoyant with 1500 CIOs, CISOs and Chief Procurement Officers across six  verticals and five countries showed the considerable extent of unmanaged risk in the software supply chain  and third-party vendor ecosystems. Overall, the research revealed that globally four in five firms surveyed  (80%) had suffered a cybersecurity breach caused by a third-party vendor and the average respondent’s  organisation had been breached in this way 2.7 times.

It is nearly impossible to effectively manage third-party risk unless the state of your partners’ defences is  clearly understood, both technically and operationally, and that you continually ensure that their cyberdefence  posture is sufficient. It is critical that organisations have an in-depth understanding of the cyber risks  associated with their supply chain relationships, mitigate those risks to the degree possible, and evaluate net  risk versus the business value of the relationship. Put simply, if your organisation is connected to another organisation and you don’t have a clear view into the state of their cyber defence posture, you have accepted  an unknown and unnecessary level of risk associated with that organisation.

Having a high level of trust in partners makes you vulnerable  

Our research highlights that, on average, organisations are working across a network that encompasses 1409 vendors. Within this network, companies will have several groupings of suppliers and partners that are integral  to the business in different ways. For example, groups of suppliers who have access to the IT systems and  network, and others who hold confidential information, as well as mission-critical suppliers whose ongoing  operation is essential to business continuity. Further, there will be those who have a high level of trust in their business relationship and unwisely allow that trust to be carried over into their network interconnectivity,  without establishing an adequate understanding of each other’s defensive position.

While many organisations have added rigor to their cybersecurity operations, many well-resourced and capable organisations have not. SolarWinds is not an isolated instance of a highly successful, but poorly  defended, organisation. Cybersecurity is too often not properly resourced and, in some cases, simply not a sufficient priority, even for organisations in the business of building software products. When partnering,  organisations should verify before they trust and embed this into their cybersecurity protocol, repeating the verification process at regular intervals.

Our research uncovered that comprehensive reviewing of partner defenses is rare. Only 23% of organisations are monitoring all suppliers; meaning 77% had limited visibility and many only re-assessed their vendors’ cyber  risk position annually, or less frequently. This means in the intervening period, organisations are effectively  flying blind to risks that could emerge rapidly and unexpectedly in the prevailing cyber threat environment. Also concerning, 29% admitted that they had no way of knowing if an issue arose with a supplier.

Understanding the adversaries’ techniques  

To make informed decisions about defensive capabilities, companies must first understand how advanced  threat actors approach industrial-scale supply chain operation attacks.

Hacking is a for-profit, international, multi-billion-dollar business undertaken by professionals – generally organised crime and nation-state-funded actors. To be profitable, attackers must be able to assess many  possible targets and make decisions about where to focus their resources for maximum impact; both in terms of value and volume. The most valuable intelligence is identifying those organisations that are important (as a potential target) and that have consistent weaknesses in their defences.

As a secondary consideration, attackers look to identify normally well-defended targets who possess unexpected point-in-time vulnerabilities. These lapses are often the needed window of opportunity a skilled  hacker requires to initiate and sustain long-term, illegal-business operations.

Developing these industrial strength capabilities allows hackers to scale their operations. However, this is technically complex, expensive, and requires sufficient depth of knowledge of offensive operations to build  automated vulnerability detection engines. Unfortunately, most advanced cyber actors have the resources and  skills to accomplish this and have already done so.

Criminals use sophisticated tools to scan the Internet – and all Internet-facing systems – for vulnerabilities and  general system information to collect intelligence that will help them identify vulnerable targets. The efficacy  of their vulnerability scanning and network intelligence collection determines their profitability. Threat actors  continue to improve their capabilities at an alarming rate.

These are five key steps that organisations should employ to safeguard their supply chain:

1. Having the right contractual provisions in place from the outset 

Historically, organisations have put contractual provisions in place that require the supplier to have good  cybersecurity. The contractual provisions are important for enforcement purposes, but may or may not be fully  complied with. The requirement of periodic questionnaires is useful, but they are a single point in time data  collection effort, the answers to which can be broadly correct, but not necessarily comprehensively correct.

Onsite audit rights, again are useful, but are limited in terms of the number that can be practically conducted,  and again, represent a single point in time. Although these techniques are necessary and valuable, they’re  simply no longer sufficient. Today, contracts should stipulate regular monitoring of the supplier’s security  posture and should document the procedure for identifying and remediating emerging risks that could  compromise security and/or business continuity.

2. Understanding the risks 

Typically organisations focus on partners with a higher dollar value, neglecting to consider that even small  partners pose a material risk. Monitoring part of the supply chain, and not all of it, is a recipe for trouble as it creates vulnerabilities at various points across the supply chain. Therefore, organisations should expand assessment, monitoring and reporting programs to cover the long tail of vendors – regardless their size – and not just critical suppliers. As outlined above, when a hacker looks at suppliers, their priority list differs from  that of the target organisation. Where hackers look for easy vulnerabilities and trusted relationships so they  can “hide in the forest,” companies tend to prioritise the importance of relationships to the business. Organisations also need to establish agreed upon risk tolerance thresholds, applying different tolerances for different suppliers, determined by the access they have to data, systems, and their importance to overall operations.

3. Real-time monitoring 

In the modern cyber context, auditing the supply chain only once a year makes as little sense as having a  Managed Security Service (MSS) that works only once a year, or a company Security Operations Center (SOC)  that operates only occasionally. Therefore, organisations must take a proactive defensive posture of rigorous  and continuous assessment and monitoring of the supply chain, notifying suppliers when they are insufficiently  protected – to ensure that the supply chain is not vulnerable to threat actors who are looking for every  possible point of entry 24/7 – so they can detect and remediate critical vulnerabilities before an attack occurs.

4. Operationalise data for improved visibility and maximed value 

To improve visibility of their supply chain, organisations should operationalise the data that they already  collect, which will provide better and actionable insight to maximise the value of existing resources. This  includes automating analysis of the most critical risks (the exceptions that need action versus the raw cyber  risk data itself), prioritising and triaging these critical risks in the context of their impact on the organisation and reducing false positive alerts to remove the “noise,” which allows in-house teams to properly focus on  analysing critical vulnerabilities.

5. Resources to remediate supply chain vulnerabilities 

While it is a prerequisite for effective cyber defence to have the data on the cyber health and vulnerability status of your supply chain, that alone is not sufficient. Organisations must also have the personnel and expertise to curate findings for priority and accuracy, to follow up with vulnerable supply chain participants to ensure remediations are implemented, and to continuously monitor both the overall portfolio and individual  suppliers. Typically they require substantial internal staffing – or part or all of the function – can be outsourced to DVV Solutions and BlueVoyant. We provide comprehensive supply chain cyber risk identification, prioritisation and remediation services.

The SolarWinds attack, along with a number of other well publicised breaches have been driven by nation state-sponsored activity, foreshadowing near term and ongoing criminal syndicate attacks. Cyber criminals already have the ransomware capabilities to wreak long-term havoc on an organisation’s network. Their next  target is the supply chain, making end-to-end monitoring of your entire supply chain a critical strategic  imperative.

You’re Only As Strong As Your Weakest Link

There’s never been a more vital time to ensure the resilience of your organisation and the supply chain you rely on. DVV Solutions are here to help with a range of managed services and solutions proven to improve your ability to assess, analyse and manage more supply chain and third-party cybersecurity domains.

For more information on enhancing your supply chain transparency:

Call Us+44 (0) 161 476 8700

Contact Us: Complete our Contact Form, or

Learn more about What We Do

This article was originally published by BlueVoyant and is shared with their kind permission.