By its very nature, a supply chain requires a collaborative partnership between people and organizations. While this can help to achieve a common objective and foster growth, it might also pose a host of problems.
Through these symbiotic relationships, companies have unknowingly exposed sensitive aspects of their business. Yet this overlooked weakness has opened up opportunities for cybercriminals to establish a foothold in their target organizations.
Underscoring the prevalence of such attacks, an Opus and Ponemon Institute study shows that at least 59% of organizations have suffered from cyberattacks through third-party companies. Even more disturbing is the fact that only 16% of organizations in the study claimed to effectively mitigate cybersecurity risks from third parties.
It stands to reason that the first step to protect your company from such risks is identifying them. Following are some ways that malicious actors can initiate an attack through a supply-chain partner, illustrated by real-life examples.
Almost every organization makes use of external hardware and software. Few want to build tech from scratch. Rather, the boom in the open-source field has led to a massive wave of outsourcing in nearly every aspect of business operations.
In spite of its convenience, this opportunity comes with considerable risk. The infamous Equifax breach of 2018 resulted from a flaw in the software in charge of running online databases. Equifax also blamed it on a malicious download link on its site, which came from another vendor.
As a result of these weaknesses in their supply chain, criminals got their hands on the personal data of at least 143 million people.
Numerous companies use heating, ventilation and air conditioning (HVAC) systems that are connected to the internet but lack adequate security measures. These give hackers a potential gateway into corporate systems, as was the case with the massive 2014 Target breach.
Hackers gained access to login credentials that belonged to the company providing Target’s HVAC system. They then logged in and got into its payment systems, stealing information belonging to an estimated 70 million people. It included names, physical addresses, email addresses and phone numbers, among other sensitive data.
Another form of risk comes from cloud service providers who store companies’ confidential data. To be sure, such entities invest significantly into the security of their systems; their reputations depend on it.
But like any other organizational systems, these are also prone to compromise. That was the case in the infamous Paradise Papers hack in 2018. Approximately 13.4 million sensitive files leaked revealing sensitive financial dealings of global corporations and super-rich individuals from all over the world. At least half of these files, about 6.8 million, came from Appleby, an offshore legal service provider.
A similar attack took place in the summer of 2018, when Deep Root Analytics leaked the personal data of about 200 million voters. Deep Root is a marketing firm used by both the Republican and Democratic parties. The breach resulted from the firm’s accidentally putting the data on a server that was publicly accessible.
While that’s a relatively small company with only about 50 employees, similar incidents have taken place at larger organizations. In the case of the Verizon breach, Nice Systems put 6 million customer records on a public Amazon S3 storage server. The records consisted of six months’ worth of customer-service call logs. They included personal and account information. Nice has over 3,500 employees.
Deloitte, with more than 250,000 employees, has experienced a similar data breach. In September, 2018, hackers got access to confidential plans and emails of some of its blue-chip customers. The loophole, in this case, was weak access controls on one of its administrative accounts.
For big businesses, security may be internally watertight. However, this might not be true even for vendor IT systems. That seems to be what happened at Domino’s Pizza in Australia last fall. According to reports at the time, the incident resulted from a former supplier’s weak cybersecurity systems. As a result, the system leaked customer names and email addresses. The breach only came to light when affected customers began receiving personalized spam emails. Though Domino’s insisted there was no malicious hack of personal data and that its systems were not at fault, the damage was already done.
Another loophole that cybercriminals might exploit is internet of things (IoT) sensors. Many business operators are alert to computer, phone and network security risks. But they often overlook IoT devices, which can allow attackers to leapfrog into corporate systems.
These devices have sensors which connect them to the internet for communication purposes. They are common in supply chains, as they can assist in machine failure prediction and inventory management, among other areas. In spite of their functional value, they are a popular attack vector that can give attackers access to sensitive data, and facilitate sabotage and botnet attacks.
An example of such an attack used a botnet known as Mirai to compromise Dyn, a company that provides domain name services to Reddit, Netflix and Github, among others. Mirai is an IoT-specific botnet designed to perpetrate distributed denial of service (DDOS) attacks.
The above examples give credence to the fact that attackers can use a weak link in your supply chain to gain access to systems. Unfortunately, you cannot exercise direct control over the security measures that your supply-chain partners implement. But at the end of the day, customers don’t care how you got compromised. They simply want to know that their data is secure. And this places the responsibility for ensuring tight security in your hands.
Due diligence in assessing third-party security systems and their privacy policies is essential. As we’ve seen, organizations large and small can fall prey to these tactics. No matter the size of your partners, it’s essential to assess their commitment to security.
Make it a top objective to assess where your weaknesses lie, and prioritize sealing all loopholes.
Olivia Scott is marketing manager at VPNpro.com.