Supply chain attacks are growing more common. According to the Identity Theft Resource Center (ITRC), there were just 19 supply chain attacks in the final quarter of 2020. In the following quarter, that volume grew to 27 attacks — an increase of 42%. Those incidents in Q1 2021 affected 137 U.S. groups and a total of seven million people. Why are they such a problem? And, how can you protect against them in the course of vendor management?

The second quarter of 2021 brought another increase for supply chain attacks, with the number of incidents growing by 19% to 32. The 59 supply chain attacks detected through June fell just behind the 70 malware-related compromises in H1 2021. So, the training provider predicted that third-party risks stemming from supply chain attacks and other incidents will surpass malware as the third most common source of breaches by the end of the year.

Why Supply Chain Attacks Are So Difficult to Block

Many businesses and agencies struggle to defend themselves against the growing volume of supply chain attacks discussed above. Why? Well, it’s not always easy to ensure defenses after vendor management begins. As reported by Opus, organizations share sensitive information with 583 third parties on average. Those entities all have different policies when it comes to what they do with their clients’ data. Some might not have processes in place that accord with existing policies, for instance. This puts them and their data at risk. Depending on those policies, such risk might persist even after a group terminates its contract with a vendor. Attackers could perform business identity theft using these forgotten accounts and data.

However, IT and security teams must commit a lot of time and resources to review the policies of all their third parties. Putting so much of their time into vendor management would pull personnel away from their current projects and thereby undermine IT resilience and security in other ways. It also wouldn’t account for the other companies to which the vendor connects. Those might retain access to systems or data outside the knowledge of IT and security teams.

Screening: The Beginning of Vendor Management

Keeping in mind the challenges discussed above, it’s key to not delay vendor management until they already have their work agreements in place. That’s why they need to begin screening vendors as part of the process of making those arrangements.

They can do this by requiring an explicit security policy for review during the beginning of vendor management. Such a policy should include information about the vendor’s disaster recovery capabilities, its procedures surrounding the retention of its client information as well as its programs for managing privileged access and for responding to a confirmed security incident. Organizations can review the details of the policy and confirm whether they accord with their requirements. What if they find an area of weakness that they feel could put their systems and/or data at risk? They can refuse to work together or demand that they rectify the issue as a condition of doing so.

Where Vendor Management Goes Next

The work doesn’t end with screening vendors, either. Per CIO, organizations can uphold their other vendor management duties by conducting regular security audits of their third parties’ existing controls and scheduling reviews of those policies on an ongoing basis. Some might struggle to complete those steps on their own. It becomes more difficult with the volume of vendors that they need to manage. As a result, consider automating vendor management using managed software solutions such as privileged access management.

More from Incident Response

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today