Companies that lull themselves into complacency are exposed to the risk of supply chain attacks even if they have done their due diligence in assessing the security of their third-party suppliers before entering into a partnership.
Companies would typically give their third-party suppliers “the keys to their castle” after routinely reviewing the vendor’s history and systems, said Steve Turner, a New York-based Forrester analyst who studies security and risk.
Third-party vendors should be able to deal with irregular activity in their systems and have an adequate security architecture to prevent downstream effects, he added.
Hamza Siddique, head of cybersecurity at Capgemini Southeast Asia, noted that technical controls and policies from third-party vendors or supply chain partners were not always consistent with their customer’s capabilities.
This created another attack surface or an easy target in the customer’s network and could lead to risks associated with operations, compliance and brand reputation, Siddique said in an email interview.
To better mitigate such risks, he recommends a third-party risk management strategy that draws on best practices from NIST and ISO standards, including the need for regular audits, planning for third-party response to incidents, and implementing limited and restricted access mechanisms.
In addition to containment and recovery, the consulting company’s service portfolio also includes support for its customers in establishing a strategy for recognition and analysis.
The defense strategy of companies against ransomware attacks must also go beyond the mere purchase of products and deal with the configuration of the systems and their architecture.
It was stressed that third-party systems should be regularly re-evaluated or, if this were not possible, that organizations should have tools and processes in place to protect themselves against downstream attacks.
This may be more difficult for small and medium-sized enterprises that do not have the resources or know-how to do so, which typically rely on their managed service providers to provide these services.
Cyberattacks can be divided into different parts and delivered by a number of threat actors with expertise in each part of the attack. One could be instructed to build the malware while other subsidiaries focus on breaking through a network and developing the exploit.
Ransomware attacks have also evolved into multi-layered exploitation, with cybercriminals seeing data theft as more lucrative than a disruption of service.
For more information, read the original story in ZDNet.