How to stay ahead of growing supply chain risk?

In a time of increased digitization and outsourcing, managing cyber risk from third-party vendors, suppliers, and business partners is becoming a “must-have” for global businesses. According to Gartner, 56% of customers (B2B and B2C) are now expressing “frequent interest and concern” in the cybersecurity posture of the organizations that they do business with.^[1] Organizations everywhere are assessing risk within their third-party supply chain – from law firms to manufacturers to hardware and software vendors – and evaluating steps to reduce or remediate risk.

What are some key issues facing organizations when it comes to supply chain cyber risk? How can your organization stay ahead of these challenges? This article identifies several recent trends as well as steps that organizations can take to reduce their supply chain risk.

Trend 1: Ransomware in the supply chain

Organizations around the globe are experiencing sudden operational disruptions combined with huge financial losses, all due to increasingly demanding ransomware attacks.

The rapid rise in ransomware represents one of the most important cybersecurity trends over the last two years. According to Accenture’s Ransomware Reoriented Report, year-over-year ransomware and extortion attacks increased by 107 percent. Ransomware threat actors typically exploit known vulnerabilities to gain access to systems.

While organizations of all sectors and sizes have been impacted, ransomware incidents affecting smaller companies in the supply chain have raised significant concerns among larger enterprise organizations. According to Jake Olcott, vice president of government affairs at BitSight: “I’ve interviewed many Fortune 1000 companies over the last two years and what they all tell me is that their third-party suppliers are being hurt by ransomware. The CISO of a major telecommunications firm told me that at least 20 of their vendors have experienced ransomware incidents in the last 6 months.”

This troubling trend has raised questions among CISOs and business executives alike about the role of larger organizations in providing resources, training, and situational awareness to smaller vendors in their supply chain. Executives and security officials realize that despite their best efforts to enhance cybersecurity within the enterprise, dependence on vendors and suppliers – who may or may not be implementing strong cybersecurity controls – can still create massive risk for the company. Some enterprises actively provide data-driven insights to their vendors about specific methods to reduce ransomware risk as a way of improving security throughout their supply chain.

Trend 2: Critical software vulnerabilities and the supply chain

The ever-expanding list of new software vulnerabilities that are being actively exploited by malicious actors now requires organizations to understand the impact of a vulnerability not only on their environment but also on their broader third-party ecosystem.

In a recent example, news of a major security vulnerability affecting Atlassian Confluence spread throughout the cybersecurity community in June 2022. Confluence is a collaborative team workspace developed by Australian software firm Atlassian and used by half of Fortune 500 companies to store a wide variety of sensitive information, including trade secrets, patent filings, employee personal information, financial data, customer information, and planned business decisions. The discovered vulnerability would allow a remote attacker to take over servers hosting vulnerable Confluence versions, allowing them to control the server with new administrative accounts and execute arbitrary code.

After evaluating whether their organizations were using a vulnerable version of Atlassian Confluence, security professionals quickly pivoted to understanding whether their critical vendors and suppliers were using Confluence. Third-party vendor usage of Confluence might have placed their company’s sensitive data at risk. Imagine your company shared confidential intellectual property documentation with one of your third parties, like your company’s law firm. If the law firm used Confluence to store your company’s sensitive information, then threat actors exploiting the Confluence vulnerability could potentially gain access to your company’s sensitive data via the law firm.

Unfortunately, despite the real risk associated with the Confluence vulnerability, not every company implemented a mitigating patch in a timely fashion. Weeks after the vulnerability was announced, research revealed that nearly 200,000 organizations still had at least one potentially vulnerable organization within their supply chain. Understanding how fast your business partners can implement security measures can mean the difference between keeping your data secure… or becoming the victim of a ransomware attack.

Trend 3: Hardware vulnerabilities and the supply chain

In recent years, the growing use of Internet-connected (IoT) devices within the enterprise have introduced significant benefits to organizations, as well as new, unforeseen risks. These IoT devices can contain critical vulnerabilities that pose risk to global enterprises.

Newly discovered vulnerabilities affecting a popular GPS tracking device highlight how IoT device risks can manifest themselves. The MiCODUS MV720 GPS tracker is a popular automotive tracking device designed for vehicle fleet management and theft protection for consumers and companies. A hardwired GPS tracker, the MV720 allows users to track vehicles, cut off fuel, remotely control vehicles, and geofence. MiCODUS devices are used worldwide by organizations ranging from government and law enforcement agencies to Fortune 1000 companies.

In July 2022, BitSight announced that newly discovered vulnerabilities affecting the MV720 could have disastrous and even life-threatening implications. For example, an attacker could exploit some of the vulnerabilities to cut fuel to an entire fleet of commercial or emergency vehicles. Or, the attacker could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways.

For companies, developing a strategy to evaluate IoT devices and their vendors is critical to understanding and mitigating enterprise risk. These issues will only become more pervasive as the usage of IoT devices grows within the enterprise.

How can organizations stay ahead of risk?

How can organizations adjust to their new supply chain risk reality? According to Suzanne Rijnbergen, Resources Industry lead at Accenture the Netherlands: “During the last year, several organizations approached me, as they are increasingly aware of the risk in their supply chain and want to take control. Yet, they often lack the knowledge and people to effectively enforce controls. Therefore, I strongly advise automation as a key element in addressing this risk.”

For organizations seeking to lower their supply chain risk, there are three critical elements to improving cybersecurity performance across their third-party ecosystem.

1. First, there should be appropriate board commitment including allocation of sufficient budget for addressing security risk, including this type of security supplier risk. At the minimum, this risk should receive attention from the CFO as part of the overall financial risk management strategy of your organization.
2. Second, organizations should strategically organize effective validation of security, including tactical and operational controls across the supply chain. This means organizing a so-called control tower for supply chain security risk management and establishing security expectations with your supply chain partners through legal and contractual language while leveraging tools to evaluate the effectiveness of the implementation of those security controls. Make sure you use the procurement process as a way of driving enhanced security; Gartner predicts that by 2025, 60% of organizations will use cybersecurity risk as a significant determinant in conducting third-party transactions and business engagements.^[2] But don’t forget that it’s important to validate your business partner’s responses to questionnaires and surveys – leveraging quantitative data to validate controls is an important way of ensuring that your partners are doing the right thing.
3. Third, security and risk professionals need to improve their ability to monitor for changes in a supplier’s cybersecurity posture. Cyber is a dynamic risk, and only through ongoing monitoring can organizations best understand their suppliers’ performance and react to changes. Yet according to Gartner, only 23% of security leaders monitor their third parties in real-time for cybersecurity exposure.^[3] To truly understand cyber risk, continuous monitoring tools are essential.

All in all, staying ahead of supply chain risks can feel like a rat race. But don’t worry, you are not alone. The collaboration between Accenture and BitSight allows you to combine in-depth frameworks fueled by data-driven insights to monitor, assess, mitigate and remediate your third-party supply chain risks.

Do you want to start a conversation? Please don’t hesitate to contact Suzanne Rijnbergen or Jake Olcott.

^[1] Gartner, Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem, Sam Olyaei, Claude Mandy, Christine Lee, Richard Addiscott, Tom Scholtz, Deepti Gopal, 24 January 2022. Available for free download here.

^[2] Gartner, Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem, Sam Olyaei, Claude Mandy, Christine Lee, Richard Addiscott, Tom Scholtz, Deepti Gopal, 24 January 2022. Available for free download here.

^[3] Gartner, Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem, Sam Olyaei, Claude Mandy, Christine Lee, Richard Addiscott, Tom Scholtz, Deepti Gopal, 24 January 2022. Available for free download here.