Cybersecurity Third Party Risk Management (TPRM) goes by many names. Supply Chain Risk Management or Vendor Risk Management are two others that are commonly used. Whichever name we go with, this has become an increasingly critical area for cybersecurity teams to focus on - and there are good reasons for that.
One of the biggest reasons is that supply chain attacks have been at the heart of some of the most high profile and, more importantly, high impact data breaches and cyber attacks over at least the last 10 years. One of the first headline grabbing examples of these is the data breach that the Target retail store chain suffered in 2013. This attack compromised the personal and financial information of around 110 million Target customers. The attackers in this event gained access to the Target network after first compromising an HVAC vendor used by the company.
Since the Target data breach there have been a number of even more damaging supply chain attacks. Here’s a quick overview of a few of those:
NotPetya: This 2017 attack has been dubbed the most expensive cyber attack in history, and it began with malware that infected the software update mechanism of a widely used accounting and tax preparation software used in Ukraine. It was “disguised” as ransomware, but was really more of a disk wiping / data wiping attack. Although the attack targeted Ukraine, it quickly spread far beyond - as cited by Mikko Hypponen in “If It’s Smart, It’s Vulnerable”
Notpetya spread internationally, the damage became catastrophic. Maersk, the world's largest container shipping company, reported damage worth $300 million, while FedEx suffered $400 million in damage, and the pharmaceutical company, Merck, reported losses exceeding $870 million.
Kaseya Supply Chain Ransomware Attack: Kaseya is a provider of software tools to IT managed services providers (MSPs). In 2021 their remote monitoring and management software was exploited and is said to have infected thousands of their MSP customers with ransomware. The attack itself, and the potential exposure one level down to the MSP’s customers, prompted a joint alert from CISA and the FBI in the US.
Solarwinds: Solarwinds might just be the most infamous supply chain attack of them all, at least in the US. In 2020 a Solarwinds tool called Orion was compromised in an attack widely attributed to Russian nation-state level attackers. These attackers managed to inject malicious code into the Orion software updates. Orion is a tool for network security monitoring - and because that is its job, that means it collects and stores data that can be thought of “keys to the kingdom” level information. That is worrisome enough on its own, but the far more concerning aspect of this attack is some of its victims. Hundreds or perhaps even thousands of Solarwinds’ customers were impacted. They included US tech giants Microsoft, Intel and Cisco and a number of federal agencies including the Treasury, Justice and Energy departments and the Pentagon, as reported by NPR and many others.
That’s the threat, what do we do about it?
I am not going to claim to be an expert at TPRM / Supply Chain Risk Management, but I have a few years experience working on it and learning about it, so I’ll offer my 02 on this.
Start with the basics: Just as we need to know what systems and assets live in our own environments, we also need to identify all of our vendors and third party providers. This ranges from partners providing hardware and software to our IT department to vendors and contractor companies providing services of all kinds throughout the organization. From HR software handling employees’ personal data to network infrastructure providers.
Create and/or continually improve a TPRM program: A stretch of a comparison, but just like a first step in addressing alcoholism is admitting to being an alcoholic, we just need to recognize that this is an area that requires attention. And devote resources to it, not allow it to be an ignored step-child within our primary cyber risk management program.
Collaborate: To be successful in managing supply chain risk, we need to work effectively with other teams. Our Supply Chain (or Procurement) and Legal teams are two that typically need to be involved - so that we can include risk assessment efforts in the vetting process of potential suppliers and in the contracts drawn up for working with those providers. We also need to be able to create solid working relationships with the vendors and third parties we are looking to assess. There’s a line to be walked between “we want to see all your security things” and the reality that those organizations need to protect their data and need to be intentional about the level of sharing they are willing to offer.
I sometimes feel that third party risk management is still a little more art than science. Having said that, just as with cyber risk or enterprise risk, any level of reduction of uncertainty around these risks is of great benefit. So I think all of our artistic / scientific efforts in this area are well worthwhile.
Excellent article, Patrick! This makes you realize every connection to another company can be a corporate risk. Well done! Ernie