Supply chain attacks are growing more common. According to the Identity Theft Resource Center (ITRC), there were just 19 supply chain attacks in the final quarter of 2020. In the following quarter, that volume grew to 27 attacks — an increase of 42%. Those incidents in Q1 2021 affected 137 U.S. groups and a total of seven million people. Why are they such a problem? And, how can you protect against them in the course of vendor management?

The second quarter of 2021 brought another increase for supply chain attacks, with the number of incidents growing by 19% to 32. The 59 supply chain attacks detected through June fell just behind the 70 malware-related compromises in H1 2021. So, the training provider predicted that third-party risks stemming from supply chain attacks and other incidents will surpass malware as the third most common source of breaches by the end of the year.

Why Supply Chain Attacks Are So Difficult to Block

Many businesses and agencies struggle to defend themselves against the growing volume of supply chain attacks discussed above. Why? Well, it’s not always easy to ensure defenses after vendor management begins. As reported by Opus, organizations share sensitive information with 583 third parties on average. Those entities all have different policies when it comes to what they do with their clients’ data. Some might not have processes in place that accord with existing policies, for instance. This puts them and their data at risk. Depending on those policies, such risk might persist even after a group terminates its contract with a vendor. Attackers could perform business identity theft using these forgotten accounts and data.

However, IT and security teams must commit a lot of time and resources to review the policies of all their third parties. Putting so much of their time into vendor management would pull personnel away from their current projects and thereby undermine IT resilience and security in other ways. It also wouldn’t account for the other companies to which the vendor connects. Those might retain access to systems or data outside the knowledge of IT and security teams.

Screening: The Beginning of Vendor Management

Keeping in mind the challenges discussed above, it’s key to not delay vendor management until they already have their work agreements in place. That’s why they need to begin screening vendors as part of the process of making those arrangements.

They can do this by requiring an explicit security policy for review during the beginning of vendor management. Such a policy should include information about the vendor’s disaster recovery capabilities, its procedures surrounding the retention of its client information as well as its programs for managing privileged access and for responding to a confirmed security incident. Organizations can review the details of the policy and confirm whether they accord with their requirements. What if they find an area of weakness that they feel could put their systems and/or data at risk? They can refuse to work together or demand that they rectify the issue as a condition of doing so.

Where Vendor Management Goes Next

The work doesn’t end with screening vendors, either. Per CIO, organizations can uphold their other vendor management duties by conducting regular security audits of their third parties’ existing controls and scheduling reviews of those policies on an ongoing basis. Some might struggle to complete those steps on their own. It becomes more difficult with the volume of vendors that they need to manage. As a result, consider automating vendor management using managed software solutions such as privileged access management.

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today