The past two years have brought about significant disruptions to global supply chains. Recent headlines have focused on labor shortages and their impact on everything from product production to shipping delays. However, another, more significant supply chain issue should be top of mind for every organization: supply chain attacks.
Compromising a business supply chain is a key goal for cyber attackers. This is especially true for companies that provide software or services to other organizations, as criminals can gain immediate access to thousands of targets (or more!) in a single attack.
While these types of attacks once focused purely on ransomware – e.g., attackers encrypting your data so you can’t conduct business and holding the decryption key for ransom to extort money from you – they’re becoming more sophisticated, and more aggressive.
Criminals are increasingly utilizing a Quadruple Extortion Scheme for supply chain attacks. This means they do more than encrypt your data and hold it for ransom. They also threaten to publicize the data breach in a way that will damage your company’s reputation, they target your customers with additional attacks, and they create cyber risks that can have an effect on your entire supply chain.
As almost every company is part of a supply chain, practicing due diligence in supply chain compliance is key. This means that every infosec leader should be focused on mitigating the risk that one or more of their third party vendors might pose to their organization’s security.
To shore up your supply chain risk profile, you need to be sure that your vendors have been appropriately risk rated and that their security policies and procedures meet your company’s requirements. Here are three things to consider when doing a risk assessment of your third party vendors:
- Employees are the #1 security risk in any environment. So, it’s important to confirm that every third party partner trains their employees in ways that you find satisfactory.
- Standardized controls are a must have. This means reviewing the security stance of your supply chain partners and verifying they scrutinize their compliance controls to the same extent that you scrutinize your own.
- Infrastructure is important. To limit the risk that could be introduced by your vendors, you need to be sure they have a technology infrastructure that will provide business continuity if something does happen.
Ultimately, your supply chain is an extension of your organization, so it is in your best interest to have a supply chain risk management plan that considers the potential risks and vulnerabilities of every one of your third party partners to ensure their risk appetite aligns with your own.
To learn more about the growing number of supply chain attacks and other risks to your organizational security, watch our recent webinar: Top Cyber Risk Trends: Where to Focus Your Efforts in 2022.