Reduce Your Risk: Supply Chain Attacks and the Rise of Ransomware

This blog was originally published by OneTrust here.

Organizations are at risk of an attack on one of their vendors that may impact their day-to-day operations. Citing a recent major breach in the information technology industry as an example, it’s clear that by using ransomware hackers, malicious actors can assault operations, ultimately affecting any organizations that use the IT Management Software. The attack affected roughly 1,500 customers and showcased that if you do not have a supply chain resistant to ransomware, you could be leaving your organization open to risk.

Learn more through our webinar: Supply Chain Attacks: The Rise of Ransomware and How to Reduce Your Risk

Ransomware Popularity and The Third-Party Risk Impact

As the new trend in ransomware attacks against critical infrastructure rises, companies across the globe are looking to improve their supply chain visibility and overall security processes. Bad actors are targeting countries’ essential goods and services (e.g., the recent major attack on the oil and gas industry) because their criticality to daily life creates a more urgent requirement to pay the ransom, showcasing supply chain vulnerabilities for both corporations and governments.

While ransomware is becoming increasingly common, it’s also happening on a larger scale. The cases we’re seeing are increasing in success, and as more attacks gain the attention of the media, hackers are realizing that they can extort companies with a large customer base to maximize the impact of their attacks. This, paired with the scale of many organizations’ vendor ecosystems, poses an enormous emphasis on preventing supply chain attacks through third-party risk management.

Third-Party Risk Management Can Identify Risky Vendors

Organizations must ensure the suppliers they work with have suitable measures in place to both prevent ransomware and respond quickly if they fall victim to an attack. This is done by implementing a third-party risk management program operationalized to provide visibility into potential risks, enabling teams to prepare for a potential attack. For example, a third party who cannot provide evidence of a strong security program with appropriate policies and controls may be more susceptible to a ransomware attack.

Organizations should consider the level of risk of a supplier going offline for an extended period as a result of the recent increase in ransomware activity. Can your organization survive if a key supplier or partner is taken offline? Or, do you need additional redundancy or secondary processes to get the organization through such an event?

The Third-Party Risk Management Lifecycle and Supply Chain Risk

The third-party risk management lifecycle is how a vendor relationship progresses over time. Understanding this lifecycle is the first step to implementing a program that will enable your team to prepare for and prevent ransomware attacks. Here are the stages of the cycle to focus on to gain insight into your third parties and the risks that they pose:

1. Third-party identification
2. Evaluation & selection
3. Risk assessment
4. Risk mitigation
5. Contracting and procurement
6. Reporting and recordkeeping
7. Ongoing monitoring
8. Vendor offboarding

Each of the above steps is critical to empowering your team to find potential supply chain gaps, allowing them to address them head-on or put a plan in place in the event an attack occurs due to the gap in question.

Don’t forget to assess the maturity of your 4th parties. If the risk management stops at the first link in the supply chain, then the overall risk of an event can still be high. You want to ensure that your vendors are assessing their vendors and the risk of downstream issues as they will impact your organization.