In 2020, hackers accessed the data of thousands of companies through malware installed in a software update for SolarWinds’ IT monitoring software. The SolarWinds data breach, known as a supply chain attack, was unprecedented in its scope.
But what’s not unique about the SolarWinds data breach is the method the hackers deployed. Many modern data breaches occur through third-party tools and software. And here’s the bad news. Supply chain attacks that allow hackers to target large numbers of organizations simultaneously are on the rise. Supply chain attacks increased by 26% from 2022 to 2023. A combination of incomplete vendor security protocols and inconsistent compliance, lack of employee training, and other factors leave businesses vulnerable to nefarious attackers.
Do I really need to worry about vendor security?
Supply chain attacks and other techniques that target organizations through third-party apps and vendors are prevalent for several reasons.
Almost every company uses third-party tools and software. When it comes to vendor security, there is a widespread misconception that vendors have adequate security controls in place and that their default settings are secure. As a result, organizations fail to thoroughly vet vendors or reconfigure their tools and software settings, a common mistake when it comes to vendor security. Finally, some companies conveniently ignore red flags and create security exceptions for vendors they wish to do business with.
Shadow IT also contributes significantly to vendors’ security risk management needs. When a company’s employees start using software from unvetted vendors on their own, without oversight or approval from the IT department, it’s shadow IT.
Shadow IT issues typically boil down to two issues. One is a lack of employee education on why shadow IT is a problem, and the other is substandard vendor security management programs and inefficient vendor approval processes.
For example, let’s say your human resources department wants to communicate using Slack, but it takes a month to get formal approval. What happens next? Such an employee may decide to set up a personal Slack account (rather than a more secure corporate account) and start sharing company data through the insecure platform. It’s a vendor security breach waiting to happen.
Four steps to smart vendor security management
Organizations should focus on the following action items in 2024 to protect themselves from attacks through third-party apps and services. Of course, the more mature an organization’s vendor security program is, the more likely the risk will be minimized.
Strengthen vendor security management programs. Enterprises need a strong zero trust vendor security management program that covers the entire vendor lifecycle, from vendor setup to vendor retirement. Organizations often perform due diligence at the beginning of a vendor contract, but ignore regular monitoring during the contract and retirement after the contract ends.
Why is this important? Just because an application or software passes a security test the first time doesn’t mean it hasn’t been modified to open loopholes for hackers. (Case in point: SolarWinds data breach via software update.)
BlueVoyant’s 2023 State of Supply Chain Defense found that fewer than half of organizations regularly monitor their supply chain vendors. Given the growing threat of supply chain attacks, this number should approach 100%.
Outline clear security expectations for your vendor and include them in your contract. At a minimum, organizations should request a formal service level agreement (SLA) from any vendor that specifies cybersecurity requirements and expectations. The SLA should cover rules for data access, data management and use, as well as necessary steps in the event of a problem and penalties for non-compliance.
Next, organizations should annually review vendor security audit reports, such as SOC 2 reports, which evaluate how well the vendor is protecting the company’s sensitive information.
Design a risk-based approach to cybersecurity. A common mistake organizations make when it comes to vendor security management is applying the same processes and rigor to all vendors. Instead, companies should take a risk-based approach, weighing the vendor’s risk against the sensitivity of the data they access, and vetting vendors accordingly.
To assess the risks associated with vendors, ask the following questions: What kind of data do you share with vendors? What happens if that data is lost or compromised? • Who needs to be notified: the customer, the state, the federal government, the SEC?
In other words, the sensitivity of the data and the potential impact if that data is compromised should guide the vendor’s security controls.
Educate employees about cybersecurity and vendor risks. Employee training is a common weak point in corporate cybersecurity programs. Companies with independent operations groups (which often means shadow IT) specifically educate employees on vendor security and the processes required to vet and monitor all third-party tools and software providers. Educational programs need to be put in place.
Employees should be familiar with all the reasons why shadow IT is a problem, such as increasing the potential for data breaches and compliance issues, as well as the list of approved vendors and solutions at their disposal. The SolarWinds data breach is just one example of how hackers target organizations through third-party vendors.
Simply put, businesses cannot afford to be complacent with their vendor’s security controls. By prioritizing the above action items, organizations can protect themselves from costly data breaches that can harm customers, revenue, and reputation.
follow me twitter Or LinkedIn. check out My website and other works can be found here.