Security

Don’t Be Victimized by a Supply Chain Attack

Businesses must ensure their vendors are meeting the same security standards they set internally.

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame.

Six years ago, a major U.S. retailer suffered one of the most famous data breaches in history. Attackers compromised the company’s retail point-of-sale (POS) system and remained embedded in it for over two weeks, siphoning credit card information that moved through the system during the busy holiday shopping period. When the dust settled, the investigation revealed that the breach affected 41 million consumers.

Incident investigators traced the root cause of the breach back to an unlikely source: An HVAC repair company that served as a contractor to the retailer and had VPN access to its network. An attacker managed to steal the password of an employee of the contractor and used that initial access to work his or her way into the network, install malware on the POS system and instruct it to collect customer information.

This was a textbook example of a supply chain breach — a cyberattack that begins with an organization’s supplier or business partner rather than with the victim itself. It’s often necessary for third parties to have access to a business’s network, but that increased access, especially when it involves individuals that business doesn’t really control, massively increases the attack surface for hackers.

What can a business do? National Cybersecurity Awareness Month is a great time to look at a few ways that organizations can better manage vendors and their access to enterprise systems to reduce the risk of a data breach.

Keep Networks Segmented

Hands down, the top cybersecurity lesson that we can draw from the breach is the importance of network segmentation.

Network segmentation seeks to contain the damage caused by a security breach by limiting network access to those resources required by a specific individual or group. Using firewalls and other network devices, network teams architect boundaries between networks that require additional levels of authentication and authorization to cross. This is especially crucial for high-security environments, such as systems that process credit card transactions. Operating a large, “flat” network that lacks segmentation is asking for trouble.

Carefully Vet Potential Vendors

Vendors require careful screening, especially when they will have access to information systems. It’s the business’s responsibility to ensure that vendors exercise at least the same level of security control that it expects from internal staff and resources with similar access.

It may be necessary to supplement the vendor’s security controls with some of the business’s own. For example, if the large retailer had required that vendors implement multifactor authentication for all remote network access, that might have prevented the 2013 attack from succeeding.

Make sure to follow the supply chain as deep as it goes. If a vendor uses subcontractors, they should be subject to the same security vetting and control as the primary vendor. Along the same lines, employees of vendors and subcontractors should undergo the same background checks as the organization’s own similarly situated employees.

Validate Compliance Obligations

Most organizations today work under at least one regulatory regime. In the case of credit card processing activities, the Payment Card Industry Data Security Standard (PCI DSS) has specific requirements for service provider certification.

As a business enters relationships with new vendors, it should carefully document the systems and information that the vendors might encounter during the course of the relationship. If that access involves regulated information, be sure to clear all of the compliance hurdles before granting access.

Retain and Exercise Audit Rights

Technology environments change constantly. Organizations add new systems, modify the configurations of existing solutions and redesign business processes to meet changing requirements. Internally, cybersecurity teams routinely conduct top-to-bottom assessments of the organization’s security posture to identify gaps that might have been created by those changes.

Organizations should adopt the same approach to existing vendor relationships by including a right to audit operations in vendor agreements and periodically exercising that right in some manner.

Businesses may choose to directly perform these assessments, but this can quickly become burdensome as the number of vendor relationships scale. Vendors may also bristle at the notion of undergoing separate audits by a large number of their customers.

For this reason, many organizations choose to include contract language that requires the vendor to engage with a reputable, independent auditor to conduct an annual cybersecurity review and then share the results of that review with all of its customers.

Put Everything in Writing

Strong working relationships between customers and vendors are wonderful, but when it comes to cybersecurity practices, documentation is paramount. Take the time to make sure that vendor contracts and service-level agreements clearly spell out the cybersecurity responsibilities of both parties. These provisions should include the security controls that the vendor must implement, the auditing and assessment procedures, and a requirement that the vendor promptly notify the customer of any potential security breach.

As businesses continue to engage a wider array of vendors, managing those relationships from a cybersecurity perspective becomes increasingly important. Take the time to conduct an inventory of existing relationships and create procedures that structure the cybersecurity onboarding of all new vendors.

Yumi mini/Getty Images