The latest research by Neustar International Security Council (NISC), a group of cyber security people across key industries, government agencies and companies, found growing concerns, over supply chain risk and an erosion of trust in the security practices of their software and service provider partners – even as they rely more heavily on them. Mark Rowe speaks to Michael Smith, CTO at cyber firm Neustar Security Services, pictured, on this supply chain risk as partner confidence wanes and how organisations need to remain vigilant given the threat landscape.
How big a threat do suppliers (and partners) represent?
“The pandemic has caused a seismic shift in the cybersecurity market and the threat landscape has evolved considerably. NISC’s latest findings suggest partner confidence is waning, with many organisations reporting that they currently feel exposed through software or service providers. With attacks such as the Sunburst attack on SolarWinds in 2020, it quickly became apparent that supply chain is now a part of every company’s attack surface – it offers a way in and a means of evading your company’s security defences.
“It all depends on what access suppliers have to your own systems, what data do you share with them, and what are they installing on your network. Threat actors are looking to access core data inside their systems and networks, ultimately to find a loophole which grants them access into other suppliers and partners networks and systems – which can be catastrophic.
“It’s particularly worrying when it involves critical suppliers where customers often do not have an alternative. If they become untrustworthy, partners need to establish a backup plan. Ultimately, what are you going to do about it when you know that a change here will upset your business operations?
“It is critical for companies to hold their suppliers contractually accountable to maintain security standards at least as stringent as those that the company adheres to. Companies should maintain a standardised information gathering (SIG) questionnaire that they include in their contracts with third-party suppliers.”
How do you find out if your suppliers (and partners) are a problem?
“This is an area that requires lot of improvement. There are some companies that help perform due diligence based on external technical data such as IP reputation and vulnerability scans, but they also monitor vendors based on press reporting. It’s a very imprecise process in a lot of ways, as you are essentially trying to predict which of your suppliers are more likely to have a security incident, and you are doing so without any insider data.
“Supplier or partners negligence can pose a huge risk to your company, especially if they are not vetted appropriately. Businesses must be able to trust that what they are provided with will operate to specifications and not create new vulnerabilities in their environment.”
How do you assess a partner’s security situation? What are the limits to this?
“Cybersecurity due diligence is becoming a critical component of the vendor and partner vetting process, especially as attacks can lead to further repair costs and business disruption for organisations that are several steps downstream from the original target.
“Enterprises are starting to realise now that they not only need optimise their own security measures, ideally by adopting a proactive security-by-design strategy, which includes an ‘always on’ approach to cybersecurity, but to invest more in supply chain auditing as well. While digitisation brings undeniable business benefits, it’s worth noting that an organisation is only as secure as the least secure partner in its supply chain.”
“It is best practice to vet your potential partners carefully before choosing them, including, having an understanding of their reputation in the market and what practices they carry out with their own supply chain. The next step is to make security requirements part of their contractual obligation ideally giving you audit rights to inspect their controls periodically. That being said, in-house security teams should actively perform vulnerability scanning on all systems and sub-systems to the extent possible, to minimise unnecessary risk.
Partners are key to battling some of the more complex business challenges, so organisations must remain vigilant. The industry has a collective responsibility to respond according to customers’ needs and, as the pandemic has proven, anticipate the constantly evolving cyberthreat landscape. Only then will we be able to answer some of most pressing cybersecurity challenges of our time.”
About Michael Smith
He is Neustar’s Field CTO and is responsible for the organisation’s products and services strategy including product management, security operations, and customer support. With over 30 years of experience in cybersecurity, IT, and intelligence, he has managed high-profile incidents such as the wave of DDoS attacks against major United States banks in 2012 and 2013 and attacks by e-commerce account takeover gangs, as well as security monitoring for large online events such as the Olympics and World Cups. He initially started as a Russian translator in the US Army, before serving in engineering, information security management, incident management, and CTO roles at Akamai, Deloitte, Unisys, and several start-ups.
