From SolarWinds to Accellion and most recently Microsoft Exchange, supply chain cyberattacks are continuing to make headlines, putting the pressure on all businesses – including channel partners – to fortify their supply chain security defenses.
With so many links in the chain, supply chain security can quickly become a very complex problem to tackle. To make it simpler, channel partners can start with two primary approaches: assessing the security of their own suppliers and business partners, and implementing controls around high-risk interactions.
Let’s take a closer look at what each of these approaches entail.
Assessing your suppliers’ security posture
The first step in assessing a supplier’s security posture is to determine the level of risk they present. If a supplier doesn’t have remote access to your network or process sensitive data, you might determine that they present minimal risk. On the other hand, if a supplier is entrusted with access, or manages or processes data on your behalf, they likely present a larger risk, and therefore may require a higher degree of scrutiny.
Channel partners can also assess their suppliers’ security by examining the certifications and audits they are subject to – particularly for cloud providers and payment processors.
For example, any payment processor will be subject to compliance with PCI DSS. If they are subject to PCI DSS level 1 or 2, it is best practice to request the RoCs (reports on compliance) issued by their Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). These RoCs should be reviewed regularly, at least on a quarterly basis, to ensure they are meeting your expectations.
Cloud providers, on the other hand, are subject to SOC 2 and SOC 3 audits that assess security controls and mitigations covering five Trust Service Principles: privacy, security, availability, processing integrity and confidentiality.
While audits and certifications don’t guarantee security, they can be a good indicator of which suppliers are using best security practice. Other assessments to consider include things like penetration test reports, GDPR compliance, or the supplier’s history of previous flaws or data breaches. At the same time, channel partners should not lose sight of any external human resources, legal, accounting or tax preparation functions. Many of these organizations themselves outsource during peak seasons and could introduce additional supply chain risks.
Applying a risk management approach
Too often, external service providers are provided the same access credentials and privileges as internal employees. This has become one of the leading causes of supply chain attacks, as credentials can be stolen through phishing attacks or abused to access all sorts of systems that are unnecessary for the task at hand. These risks are exacerbated when you consider that most organizations employ single sign-on.
Another mistake is providing third parties with unfettered remote access technology, including VPN and RDP, where access is shared with the entire network rather than segmenting and securing necessary remote access tools.
Channel partners should require multi-factor authentication for all externally facing tools, while limiting them to single hosts or systems. In instances where additional access is required, channel partners should consider using jump hosts to reduce risks and allow for additional monitoring and logging.
They should also pay close attention to suppliers’ security bulletins, so that when vulnerabilities are discovered, patches and mitigations can be deployed as quickly as possible. Lastly, if channel partners have cyber insurance, they should determine whether it covers third party losses and how to engage the policy, if necessary.
The complexity of supply chain security makes it one of the more daunting areas of cybersecurity to assess and many businesses, including channel partners, simply don’t know where to start. But as supply chains continue to be attractive targets for cybercriminals, it’s imperative to step up.
We’re all targets in someone’s supply chain – by carefully assessing the security posture of all external suppliers and applying risk management to all interactions with them, channel partners can start to minimize supply chain risks for themselves and their own customers. But achieving perfect supply chain security isn’t always possible, which is why sourcing additional help from external teams like Sophos Managed Threat Response can help fill the gaps, providing more proactive and effective monitoring for early indicators of compromise, strengthening partners’ security posture within the supply chain.