Torsten George VP of Marketing and Products Agiliance

Data breaches at Adobe, Target, and Neiman Marcus made headlines over the last few months. These are only a few examples, in which hackers are mounting targeted attacks against an organization's supply chain. One of the most damaging and memorable supply chain attacks to date remains the RSA SecureID token breach.

Using stolen data about the company’s SecurID authentication system, criminals were able to compromise RSA customers including Lockheed Martin that rely on SecureID tokens to protect their most sensitive data and networks. As companies improved their defenses against direct network attacks, hackers shifted their focus to the weakest link by exploiting the supply chain to gain "backdoor" access to IT systems. As a result, enterprises need to monitor and manage IT security risks downstream in the supply chain. Assessing just your top 25 critical vendors is no longer sufficient.

To illustrate this point, count the number of suppliers your organization uses to run your business operations. Even small companies easily exceed one hundred third-party vendors, including technology vendors, electricity, hosting, facilities, payment, and collection services providers. As a result, it is not surprising that when it comes to third party risk assessments, most organizations focus only on a small subset, typically based on contract size.

This practice is clearly outdated, considering the fact that cyber criminals are using the supply chain to access data from large, well-protected global organizations they wouldn’t otherwise be able to compromise. In response, organizations need to extend their practice of conducting regular risk assessments to include all of their suppliers, and - if possible – even supplier’s suppliers. Performing vendor risk assessments has become a very popular practice over the past 12 months. While gathering data about a supplier’s business and information security practices provides some peace of mind, it doesn't guarantee a higher level of security, especially if a vendor stretches the truth a bit. Furthermore, most organizations conduct vendor risk assessments only after they have engaged with the supplier.

Nonetheless, performing a standardized vendor risk management process as part of normal business operations is an important step in securing the supply chain. Unfortunately, by including all suppliers in manual questionnaire-based risk assessments, organizations quickly reach limitations as it relates to operational efficiency and scalability. To avoid having to hire legions of contractors or full-time staff, organizations are turning to software to help automate the data gathering process and calculation of risks scores. Specifically, Vendor Risk Management tools are being used by more and more organizations to address the information sharing risk component of overall supply chain risks. These tools can also assist in conducting risk assessments during the on-boarding process rather than waiting for months or years to run the first risk assessment.

Based on the uptick in cyber-attacks on the supply chain, some companies are mandating suppliers to use independent verification services (e.g., Veracode’s VAST program) to test software applications prior to procurement and deployment. This is a departure from the traditional approach of conducting penetration tests using internal security operations teams to assess potential vulnerabilities months or even years after deploying the technology. By augmenting vendor risk assessments via questionnaires with vendor application security testing programs, organizations are moving to close the gap between third-party technology vendors and the application security standards to which they hold their internal teams.

One example of this approach is Thomson Reuters. The company requires all externally developed code be held to the same security standards regardless of the type of application. All of its vendors have to analyze and attest their software security policy based on industry compliance standards via an independent verification service. In the case of Thomson Reuters, new test results are required for any new release, product enhancement, or upgrade – imposing “continuous” diagnostics to minimize risk.

It’s unlikely we’ve seen the last major data breach that exploits supply chain vulnerabilities.  It’s also unlikely that organizations will continue to manage their supply chain risks the same way they have in the past.