Cyber-related supply chain risks. While companies once relied upon a single vendor to support their email environment, now their entire network may run on hardware and software owned by multiple companies. (Photo: Wright Studio/Shutterstock)

Early in my cyber career, we worried about individual vendor cyber risk. Now we worry about supply chain cyber risk. This change comes as companies that once relied on a single vendor supporting their email environment now have their entire network running on hardware and software owned by third parties. The global pandemic has led workers to upload their personal and business services to the cloud. Practically all services are virtual, and a breach that might start with just one vendor or third-party now has the potential to result in much greater harm.

Businesses, facing tremendous pressure in 2020, were drawn to the ease, availability and reliability of cloud-based services without fully considering the security risks associated with them. What most businesses fail to consider is that the easier it is for users to access their accounts and information, the easier it is for hackers to access it as well. If the software is simple and reliable, it’s going to be a target.

In a cyber supply chain, third parties own every piece of a company’s technology. When a vendor’s system is breached, many businesses are not concerned because the breach did not affect their technology or server, and it’s not viewed as their security concern. However, this couldn’t be farther from the truth. If anything, it amplifies their vulnerability because businesses are less likely to know the ins and outs of their exposure, how far-reaching a breach can be, and the whereabouts of their data.

A case study: SolarWinds

In December 2020, the software development company, which helps businesses to manage networks and systems, was breached through its Orion product. The hackers injected a piece of malicious code into the actual code that was being used for an Orion software update. Anyone who downloaded the update with the malicious code was compromised. Victims of the cyberattack included the U.S. Department of Homeland Security, the U.S. Treasury and the U.S. Commerce Department. This was a supply chain compromise as the bad actor embedded malicious code into software used in the supply chain of third-party companies to quickly increase a widespread attack.

When a hack like this happens, it takes time for the details to be disclosed. The biggest question in the SolarWinds case is: How did the hackers get access to the software update code? When businesses rely on supply chain vendors, they also rely on them to be upfront about vulnerabilities and how they address problems when they arise. Many businesses were vulnerable, but it doesn’t mean they were exploited. What were the hackers after? Was it SolarWinds or your data?

Mimecast breach

Another example of a supply chain compromise is the Mimecast cyber event. Early this year, the cloud-based email management company was breached through a digital certificate that is used to authenticate the connection between Mimecast and the Microsoft365 service. While the hack had the potential to compromise thousands of customers, only a small number were directly impacted.

The hack represented an attack against an organization’s supply chain as it may have been compromised through its email security vendor. This indicates that the scope of cybersecurity risk management extends beyond an organization’s boundary. It also represents an increasing trend in email hacks. Coalition reported that there was a 67% increase in email-related reported claims from 2019-2020.

How to help mitigate risk

Here are some steps companies can take to help mitigate the risk of a hack.

  1. Understand what the biggest targets tend to be. Usually, with hacks, everything comes down to money, data and information, anything that a hacker can hold over you as a threat or hold for ransom in a ransomware attack. This means that payroll and accounting software are high risks as well as anything with large amounts of data.
  2. Do your due diligence on vendors. When picking a vendor to help manage your information and data, it’s important to make sure they address all of your needs and have steps in place if something goes wrong. They should have a security team and an instant response (IR) plan with teams in place to handle breaches.
  3. Turn on multi-factor authentication/two-factor authentication (MFA/2FA). Almost all the vendors offer this feature, but people usually don’t use it until it is too late. A lot of companies use it as a reactive measure to a hack instead of a preventative one.
  4. Never reuse passwords and require consistent password updates. It’s important to use unique passwords for all of your different vendors to secure your information. If you use the same password and email for multiple accounts, hackers can easily take the login information and use it to access all of your services. In general, it’s a good practice to not reuse passwords in any capacity. Companies should also make it mandatory for employees to change their passwords every three to six months and store these passwords in a password manager protected with MFA.
  5. Don’t use your business email for anything personal. Companies should install a policy that states employees cannot use their business email for any personal reasons or accounts.
  6. Monitoring. Supply chain risks, along with the increasing number of personal and work devices we use, create a broad attack surface. We recommend using an internal network monitoring solution (also referred to as an endpoint detection and response solution) that can identify and prevent dangerous attacks such as malware, ransomware and exploits. We also recommend using an internet attack monitoring tool to oversee your internet-facing assets.

If you’re compromised

  1. Contact your insurer. Cyber insurers have systems in place to help their insureds respond to a potential compromise — response time matters. Contact your insurer as soon as possible to help mitigate risk.
  2. Contact the vendor. It’s important that you directly contact the vendor/third party as soon as possible. Get as much information as you can about the breach and know how it may impact your business.

Now that businesses have moved so many of their processes to the cloud, there is no turning back. Technology will continue to be critical to enable connectivity and deliver convenience for employees and customers. As businesses adjust to this new way of working, they must also understand their cyber risks, have security measures in place, and work with their broker to make sure they have the right insurance should one of the many vendors in the supply chain face a cyber event.

Leeann Nicolo ([email protected]) is the incident response lead for Coalition.