Does Your Supply Chain Have a Nasty Surprise for You?
This blog was originally published by Avanade here.
Written by Rajiv Sagar, Avanade.
Only 14% of Japanese business and IT executives know how well their partners and suppliers are enhancing their own cybersecurity—and that’s less than half the global average of 29%, according to research from Accenture.
What Japanese business executives don’t know about their suppliers’ cybersecurity status could have dire consequences for their own companies. About 70% of businesses are particularly vulnerable to cyberattacks through their supply chains, according to Accenture. The SolarWinds attack wasn’t aimed just at the U.S. government; it was among the largest supply chain-related attacks ever, affecting 18,000 companies and agencies across the Americas, Europe, and the Middle East.
In Japan, the 2019 data breach at Mitsubishi Electric was perpetrated through a vulnerability that originated with the company’s antivirus supplier. In the U.S. that same year, the Target breach began with an attack on one of the retailer’s heating and air conditioning suppliers, and culminated in the theft of credit card data on 110 million of Target’s customers.
It only takes one third party provider
What makes supply-chain attacks so insidious is that—while you’ve hardened your perimeter against direct hacks—bad actors steal the “keys” you’ve given to your partners or providers in the form of authorized credentials and boldly “walk in the front door” of your IT infrastructure. The real breach happens somewhere over which you have no control and no responsibility but, like your neighbor’s tree crashing down through your own roof, you may get the worst of the damage.
During the height of the Cold War between the U.S. and the Soviet Union, Washington’s catch-phrase was “trust but verify.” Against today’s supply-chain cyberthreats, even that policy is too lenient. You need a Zero Trust mindset and vision, centered on the belief that you shouldn’t automatically trust anything—inside or outside your perimeter. Everything must be verified before granting trust in the form of access to your systems. The identity of every individual, admin account, application, bot, and process must be validated and managed through robust governance.
Three principles to guide you
Supply-chain cybersecurity and Zero Trust aren’t just concepts we advise our clients about. Because we provide comprehensive managed services, we’re a supplier too and we practice what we preach in order to help keep our clients’ environments safe. To help keep your assets and the assets of your customers and clients safe, consider a Zero Trust policy. That means different things to different people; here’s the Microsoft approach, which we use:
- Verify explicitly. This means authenticating using all available data points for every request for access. Your procurement team members may seem safe to trust, but is a new request for payment coming from an unusual location, perhaps out of the country? Or at an unusual time? Verify before granting trust.
- Use least-privileged access. Once you verify a request, grant the least-privileged access needed for the business purpose—only for a highly limited time period, only for relevant systems, and so on. Catching an infiltration at its point of impact can reduce its spread in your environment.
- Assume a breach. Given the pervasiveness of cyberattacks, it’s likely true that you’ve either suffered a compromise or are compromised now but don’t know it. You’re in a long war with bad actors and you need to bring together your people, processes, and technologies to fight it. Cultural change, governance, and new technologies are all crucial components in this fight.
Five ways to get started
Of course, implementing these pillars is easier said than done. Focus on these five ways to turn the tide in your favor; they’re the security aspects we always raise with clients:
- Secure identities—Whether they represent people, services, or IoT devices, you should apply the verification and least-privileged access principles mentioned earlier to all the identities in your environment.
- Secure endpoints—You have more endpoints than ever—including IoT devices, phones, BYOD devices, cloud-hosted servers and more. Monitor and enforce health and compliance across them all.
- Secure applications—Your data you seek to protect is consumed via an array of applications and APIs, including legacy code, IaaS workloads, SaaS applications and more. Use code scans, controls, and real-time analytics to monitor and control abnormal behavior.
- Secure data—Ultimately, data is what you seek to protect. Classify, label, and encrypt your data; restrict access based on those attributes. Work to promote security even after data leaves the devices you control.
- Secure managed services—You likely leave one “door” open to your IT environment: the “door” for the managed services provider that keeps your environment operating effectively and securely. You need to confirm provider has all appropriate safeguards in place and that your trust in the provider is well-earned.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.