Outsourcing’s dark side: How to stop the surge of supply chain attacks

It’s an increasingly familiar scenario. A well-regarded company offering a popular online service discloses that it has fallen victim to a data breach. Cyberattackers have stolen customer names, phone numbers and credit card data, and little can be done to rectify the situation.

High-profile companies such as DoorDash, Plex and LastPass have all recently become victims of third-party supply chain attacks, but they are certainly not alone. According to “Treading Water: The State of Cybersecurity and Third-Party Remote Access Risk” — a report of more than 600 U.S. security professionals across five industries published by the Poneman Institute — third-party attacks have increased from 44% to 49% since last year.

The real number of attacks is likely higher, as only 39% of respondents expressed confidence that a third-party associate would notify them of a breach. To stop the surge of such attacks, we need to take a close look at the market conditions and cultural factors causing these trends and why so many companies are failing to implement modern solutions to meet the challenge.

Hacking heaven: Rapid digital transformation plus outsourcing

So, what is behind this uptick in supply chain attacks? In two words: Cultural change. Many industries that were previously operating offline are maturing into the digital age with the help of SaaS and cloud technologies, a trend that has accelerated due to the pandemic and the move to remote work. As companies rush into modernizing their systems, malicious attackers see perfect targets.

Add to this another market trend: Outsourcing. Some 20 years ago, it was unheard of for organizations to outsource control of a core piece of business, but as industries undergo digital transformation and simultaneously deal with labor shortages, thanks in part to The Great Resignation, it is far more common to rely on third-party vendors and service providers.

While the moves to leveraging third parties for efficiency and expediency and leveraging cloud technology to deliver new, compelling value to the market are in and of themselves not bad decisions or developments, but it does mean the attack surface for malicious hackers is almost exponentially expanding.  

Today, IT professionals tasked with solving third-party breaches are feeling the heat. Companies are improvising with various degrees of success, sometimes creating more vulnerabilities while attempting to fix others. Despite good intentions, most organizations have made no progress in third-party security in the last few years, and they pay a high price for it.

Cybersecurity breaches leave a whopping financial dent: More than $9 million to remediate damages, according to the Poneman report. Most companies have been asleep at the wheel when it comes to third-party supply chain threats.

Hope is not a strategy: Failing to address third-party security threats

IT departments face the need for more complex security strategies to deal with third-party threats, but many companies have not invested in the tools or employees needed to secure remote access and third-party identities. 

According to the Poneman study, more than half of organizations are spending up to 20% of their budget on cybersecurity, yet 35% still cite budget as a barrier to strong security. Companies also resist investing in the right technological solutions. For instance, 64% of organizations still rely on manual monitoring procedures, costing an average of seven hours per week to monitor third-party access.

Furthermore, 48% of respondents in the Poneman study also lack the skilled employees needed to support technological solutions. There is an obvious correlation between the number of experienced staff members that a company has and its security posture. To succeed, you need both the right technology and the personnel to use it effectively.

Hope, blind trust are not strategies

Alongside lags in investment, many organizations’ cybersecurity programs have fallen behind. Adequate action isn’t taken to secure remote access, which leads to far too many third parties accessing internal networks with zero oversight.

A full 70% of organizations surveyed reported that a third-party breach came from granting too much access. But, half don’t monitor access at all — even for sensitive and confidential data — and only 36% document access by all parties. They simply take a “hope it doesn’t happen” approach, relying on contracts with vendors and suppliers to manage risk. In fact, most organizations say they trust third parties with their information based on business reputation alone.

However, hope and blind trust are not strategies. Many bad actors play a long game. Just because vendors aren’t breaking your systems now doesn’t mean hackers aren’t involved in malicious activity undetected, gathering intel and studying workflows for a later time.

Not all companies have ignored threats. The healthcare industry has become a leader in solving third-party security issues because of the need to comply with audits by regulatory bodies. Unfortunately, the auditing process that originated in healthcare and that has been adopted by other industries has not resulted in widespread improvement.

Faced with the ongoing challenge of solving third-party security breaches, or the more achievable aim of passing audits, many IT departments focus on the easy win. They remain a step behind hackers, attempting to clean up after breaches instead of preventing them.

From catching up to leading the pack: Five strategic steps to prevent third-party threats

Despite the worrying prognosis, there is good news. There are ways to mitigate the damage from third-party attacks and start preventing them. Recognizing the need for proper management is the first step. Rather than hoping for the best, companies must commit to substantial research and investment in tools and resources. They can begin by implementing some basic strategic steps toward preventing supply chain threats.

• Take inventory of all third parties with access to networks. Define and rank the levels of risk to sensitive information and insist on documenting all network access. Half of all companies today have insufficient visibility of people and business processes, meaning organizations do not know the level of access and permissions within a given system. A fundamental rule of security is that you can’t protect what you don’t know.
• Armed with the knowledge of who has access to what information, evaluate permissions, and then provision and deprovision what is necessary. Replace open access with zero trust-based access controls and tight monitoring procedures. Reduce the complexity of the infrastructure and improve internal governance.
• As you make tough decisions about granting access, consider both the risk and the value presented by each supplier and vendor. Prioritize securing access for your most important suppliers, working your way through to less crucial third parties.
• Be aware that when limiting access to suppliers and vendors, there may be some pushback as they initially feel they aren’t trusted as much as they were previously. Ensuring that critical suppliers feel respected while also changing the status quo may be a kind of dance or negotiation. Parties can be made to feel integral from a business standpoint, even as stricter security measures are maintained.
• Finding the resources and employees to make these changes is critical. Some companies may choose to reallocate IT to budget salaries for new hires. If starting from the ground up, assign someone to oversee third-party management, giving that person the power to implement a third-party access risk management program.

Whatever action an organization chooses to take, it is integral to start as soon as possible. Companies can expect to wait several months to a year before they start to see measurable results. However, with an investment in time, energy and resources, it is not too late. Smart, proactive organizations can turn risky connections with third parties into healthy, secure relationships with trusted vendors and suppliers. They can stop playing catch-up and start leading the pack.

Joel Burleson-Davis is the SVP of worldwide engineering for cyber at Imprivata