What do the US Department of Energy, the BBC and Boots all have in common? No, this isn’t the start of a bad joke. They are amongst the growing list of international organizations that have been breached as a result of the MOVEit software vulnerability.
But the risk of the MOVEit vulnerability extends far beyond the thousands of organizations around the world that use the software. A number of organizations that suffered data breaches were exposed through their supply chains. Take the payroll provider, Zellis. As a breached user of the MOVEit software, the employee payroll data of many of its customers has been exposed and stolen. This is a clear example of how it is not just third-party providers that present a security risk, as MOVEit is a fourth-party vendor to the breached clients. Indeed, whether it’s the third, fourth, fifth or nth party, it takes just a single weak entry point to introduce risk into the entire supply chain.
While supply chain vulnerabilities of this scale don’t occur every day, the security risk of the supply chain is of growing concern to security and business leaders. According to WEF’s Security Outlook 2023, business executives recognize how their organizations’ cybersecurity risk is influenced by the quality of security across their supply chain of commercial partners and clients.
This is because most organizations are digitally connected to hundreds of suppliers and vendors. Weaknesses in a vendor’s security posture – which could come from their own supply chain – can lead to threat actors gaining access to a network and result in a data breach or the introduction of malicious software,
for example, ransomware.
Sometimes these are “smash and grab” events, as seen with the MOVEit vulnerability, which was caught relatively quickly and based on insights from the industry, doesn’t appear to have leveraged broader access or steal specific high-value information. Others are stealthier. SolarWinds attacks, for example, attempted to avoid detection by disabling software systems before performing malicious activity.
The bottom line
Even if your business has the most robust internal security and risk polices and processes in place, third, fourth and even fifth parties could bring it all crashing down. From operational disruption and data breaches to ransom demands and regulatory fines, the cost of not taking this risk seriously is massive.
That’s why it is critical that security leaders actively consider and prepare for this risk and, in turn, the eventuality of an attack through their supply chain. These are five steps that should underpin how organizations prepare:
Don’t let risk be in the eye of the beholder
The further you go down your supply chain, the less likely it’s going to be shored up against risk. This could be down to the size of the supplier, or to the regulatory or cultural context of where it is located. Whether it’s SMEs with limited budgets to spend on security defenses or large consultancies that’d rather retain more of their bonus than shell out on better cyber defenses, it’s essential to be explicit in detailing your security and privacy requirements to all suppliers.
Make security contractual
While some sectors in the UK, including financial services and healthcare, have mandates to ensure information governance over their supply chain, many organizations in non-regulated industries are still not including it in their supplier contracts. But there is no good reason not to! Making cybersecurity requirements contractual not only impresses the gravity of your security requirements on suppliers but holds them accountable for upholding them.
Put in place a risk manager
Assessing and managing risk across your supply chain is a full-time role, from running risk analysis and introducing the relevant protocols, to managing compliance, and determining who is ultimately accountable. In a small company, a senior director or C-level leader must take on the responsibility of managing the company’s risk processes. In a larger organization, it is the board’s responsibility to put the right team in place and
ensure policy adherence.
Dynamically manage your risk
The sheer number of different vendors and suppliers that organizations interact with means it’s impossible to manually manage the risk posed by third, fourth, fifth and nth parties. Vendor risk management platforms are key to proactively checking suppliers are meeting your security requirements, assessing the risk posed, and having up to date information when news of a vulnerability or vendor breaks.
Establish a supplier breach checklist
A supplier breach checklist is a practical tool for businesses managing multiple suppliers, which not only helps identify potential risks, but can also inform an effective response strategy when a breach happens. The checklist should start with the immediate need to identify and notify the supplier or vendor, before addressing the scope and impact and communicating this to relevant stakeholders – for example, affected customers, stakeholders, regulatory bodies, and the relevant authorities – and ensuring all impacted parties are taking necessary steps to address the breach and prevent future incidents.
Get on the front foot
As the business landscape becomes increasingly interconnected with organizations employing third-party suppliers and vendors, each of which has its own supply chain in tow, proactively managing the risk of the supply chain is key. Getting on the front foot with suppliers to both secure your supply chain and understand the steps should an event occur will help reduce your overall exposure.
Jonathan Wood is founder of C2. C2 is one of the fastest-growing risk management companies in the UK that is helping public and private sector organizations reduce risks and vulnerabilities across supply chains and projects.