The recent NCSC report underlines an all-too-common refrain for UK PLC – the cyber-threat to businesses is growing. The security sector may have grown a thick skin to such warnings, however to hear it from a Government body with access to a unique picture of the threat landscape, means companies should take heed.
Specific warnings about the growing threat from ransomware and DDoS are an ongoing anxiety-inducing thought for security teams. WannaCry quickly shifted ransomware from the realm of small scale laptop clean-up to board level concern and DDoS is an omnipresent danger.
There was a third emerging problem which NCSC saw fit to highlight, which is that of supply chain threats. Reading between the lines, this is a warning that not only should the UK expect a higher volume of attacks, but also ones with an increased amount of planning.
It takes far less time to rent a botnet or buy a piece of off-the-shelf ransomware than it does to find, analyze and compromise a third party. You only have to look at the ‘low and slow’ approach adopted by the recent CCleaner compromise for proof. Moving laterally at night, it hid for months inside a development system before finally striking. These are not the hallmarks of a script kiddie.
Whilst CISOs and security teams are more at home with the tangible threat to their immediate perimeter, the vulnerability introduced by trusted third parties sometimes comes as an afterthought. Security teams need to get better at looking outside their own organization when assessing risk. Attackers have realized this, switching their attacks away from a perimeter guarded by shiny new countermeasures to focus on the outdated laptop used by your HR consultant.
The increased outsourcing of non-core company functions has created fertile ground for the growth of this threat. Nowhere is this trend more evident than with technology outsourcing. The raft of sensitive enterprise data tasks now handled by MSPs with privileged access to critical systems is a particular area for concern. All it takes is a single backdoor, an insecure remote connection or even a rogue employee and your data can quietly walk out the door.
Given this, what can companies do to sharpen up their approach? The management of a disparate set of suppliers is a problem that takes more than just technology to resolve. It should be a procedural and cultural shift in the way any large business does business with the outside world.
Firstly, assess risk. You will already understand what your critical assets are, so map which have exposure to such attacks and prioritize these. Anywhere that suppliers have a gateway into sensitive data, or control systems if you are overseeing an infrastructure asset, needs to be considered. Think like an attacker, be creative.
Once this is captured, a small focused group could be appointed with a broad range of skills that sits outside the purely technical, for example representatives from legal and procurement. Working with this team, assess current suppliers and review the security posture of each and where they have access to networks or data.
Again, be creative. Whilst technical teams will often have a tight grasp of how their data is secured, this may throw up some eyebrow raising moments from how other business functions share company information.
Only after this phase will you have a full view of current exposure. Work closely with suppliers to communicate a set of standards which need to be applied to secure interactions. It is important that this is not done in a dictatorial way, as the smaller businesses that make up your supplier base can see this as time-consuming and difficult, so helping them understand the shared risk is important. For this reason, these rules should be flexible based upon resource supplier-side.
Finally, bake this process into all future supplier on-boarding. Whilst the up-front work to assess risk is intensive, building standards into future contracts means it becomes part of the way you do business. This will minimize exposure from the very start of all engagements.
However, it is important not to become complacent. The standards created should be agile enough to respond to emerging attacks and the fluid nature of technology brought into your organization. All security policies date. In addition, security teams should also ensure threat monitoring technology is augmented to watch for supply chain risk, monitoring network traffic for data exfiltration and automating management of shadow IT and software.
On the face of it, the supply chain risk can seem daunting. Security teams see managing their own estate as a game of continually plugging different holes, so the thought of having to do so across the entire supplier base looks like a tall order. However, with the right processes, close communications with suppliers and some small technical improvements, it doesn’t have to be. It is a risk point that needs to be considered, not least because your adversaries probably already are.