Supply chain attacks are growing more common. According to the Identity Theft Resource Center (ITRC), there were just 19 supply chain attacks in the final quarter of 2020. In the following quarter, that volume grew to 27 attacks — an increase of 42%. Those incidents in Q1 2021 affected 137 U.S. groups and a total of seven million people. Why are they such a problem? And, how can you protect against them in the course of vendor management?

The second quarter of 2021 brought another increase for supply chain attacks, with the number of incidents growing by 19% to 32. The 59 supply chain attacks detected through June fell just behind the 70 malware-related compromises in H1 2021. So, the training provider predicted that third-party risks stemming from supply chain attacks and other incidents will surpass malware as the third most common source of breaches by the end of the year.

Why Supply Chain Attacks Are So Difficult to Block

Many businesses and agencies struggle to defend themselves against the growing volume of supply chain attacks discussed above. Why? Well, it’s not always easy to ensure defenses after vendor management begins. As reported by Opus, organizations share sensitive information with 583 third parties on average. Those entities all have different policies when it comes to what they do with their clients’ data. Some might not have processes in place that accord with existing policies, for instance. This puts them and their data at risk. Depending on those policies, such risk might persist even after a group terminates its contract with a vendor. Attackers could perform business identity theft using these forgotten accounts and data.

However, IT and security teams must commit a lot of time and resources to review the policies of all their third parties. Putting so much of their time into vendor management would pull personnel away from their current projects and thereby undermine IT resilience and security in other ways. It also wouldn’t account for the other companies to which the vendor connects. Those might retain access to systems or data outside the knowledge of IT and security teams.

Screening: The Beginning of Vendor Management

Keeping in mind the challenges discussed above, it’s key to not delay vendor management until they already have their work agreements in place. That’s why they need to begin screening vendors as part of the process of making those arrangements.

They can do this by requiring an explicit security policy for review during the beginning of vendor management. Such a policy should include information about the vendor’s disaster recovery capabilities, its procedures surrounding the retention of its client information as well as its programs for managing privileged access and for responding to a confirmed security incident. Organizations can review the details of the policy and confirm whether they accord with their requirements. What if they find an area of weakness that they feel could put their systems and/or data at risk? They can refuse to work together or demand that they rectify the issue as a condition of doing so.

Where Vendor Management Goes Next

The work doesn’t end with screening vendors, either. Per CIO, organizations can uphold their other vendor management duties by conducting regular security audits of their third parties’ existing controls and scheduling reviews of those policies on an ongoing basis. Some might struggle to complete those steps on their own. It becomes more difficult with the volume of vendors that they need to manage. As a result, consider automating vendor management using managed software solutions such as privileged access management.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today