The
escalating
attacks
against
the
digital
supply
chain
have
largely
targeted
third-party
vendors
and
suppliers.
While
it’s
not
a
new
trend,
it
demonstrates
that
threat
actors
have
learned
how
to
weaponize
trust
in
the
company’s
partners,
even
including
security
partners.
Every
organization
entrusts
critical
data
to
multiple
layers
of
vendors,
so
security
leaders
must
learn
how
to
solve
the
growing
challenge
of
third-party
risk.
The
SolarWinds,
Kaseya,
and
Log4J
attacks
illustrate
the
far-reaching
implications
of
a
compromised
supply
chain,
particularly
in
security
vendors.
While
those
attacks
were
wake-up
calls,
organizations
have
not
fully
accounted
for
them
when
considering
supply
chain
vulnerabilities.
CISOs
need
to
prepare
for
the
growing
weaponization
of
trust.
Due
diligence
in
a
complex
supply
chain
The
2022
World
Economic
Forum
(WEF)
report found
that
attacks
on
digital
supply
chains
impacted
40%
of
surveyed
organizations
in
the
past
two
years,
while
88%
of
organizations
complained
about
the
resilience
of
their
small
and
medium-sized
vendors.
These
attacks
are
costly—IBM
Security’s Cost
of
a
Data
Breach
Report shows
that
supply
chain
compromises
cost
an
average
of
$4.46
million,
2.5%
more
than
the
$4.3
million
average
of
all
data
breaches.
Today,
application
programming
interfaces
(APIs)
are
also
of
a
special
concern
because
many
technology
teams
rely
on
them
heavily,
but
do
not
integrate
and
manage
them
securely. Salt
Security
researh
shows that
about
a
quarter
of
surveyed
organizations
use
twice
as
many
APIs
as
they
did
the
previous
year,
and
95%
of
surveyed
organizations
had
an
API-related
security
incident
in
the
past
12
months
while
API
attack
traffic
grew
by
681%.
Board
members,
executive
team
members
and
CISOs must
scrutinize
their
partners
as
part
of
routine
due
diligence.
They
understand
they
have
much
work
to
do
—
54%
of
business
leaders
and
61%
of
cyber
leaders
believe
third-party
partners
directly
connected
to
them
are
less
resilient
than
their
own
organizations,
according
to
another WEF
survey.
The
complexity
of
the
multiple
layers
of
vendors
and
suppliers
limits
visibility.
Let’s
say
an
organization
entrusts
a
specific
partner
to
process
its
customers’
personally
identifiable
information
(PII),
and
has
done
its
due
diligence
to
assess
that
partner’s
security
posture.
The
partner
relies
on
another
vendor,
which
has
its
own
vendors,
and
so
forth.
It’s
the
organization’s
responsibility
to
ensure
data
privacy
and
security,
but
with
the
dispersion
of
the
PII
flowing
through
a
third,
fourth,
or
fifth
party,
how
can
the
CISO
possibly
know
that
every
partner
down
the
chain
has
conducted
due
diligence
with
the
same
rigor?
In
most
situations,
CISOs
do
not
have
true
visibility
into
the
security
practices
of
providers,
relying
instead
on
those
third
parties
to
complete
lengthy
questionnaires.
Independent
certifications,
such
as
ISO
27001
or
SOC
2,
give
some
reassurance,
but
they
only
measure
specific
performance
areas,
offering
only
a
partial
view
of
the
vendor’s
security
posture.
As
cybersecurity
professionals,
we
know
these
issues
are
an
industrywide
problem.
But
so
do
our
adversaries
—
and
that’s
why
they
make
it
a
point
to
exploit
the
weaknesses
in
partner
trust.
Reduce
risk
via
vendor
consolidation
To
help
reduce
third-party
risk
inherent
in
reliance
on
security
suppliers,
many
organizations
are
consolidating
their
vendors,
improving
visibility,
operational
efficiency,
and
effectiveness.
CISOs
are
building
stronger
relationships
with
their
A-list
vendors
and
have
fewer
solutions
for
their
team
to
manage
and
learn.
While
vendor
consolidation
has
many
benefits,
relying
heavily
on
any
one
partner
has
its
own
set
of
risks.
A
disruption
at
that
provider
has
big
implications
for
the
security
operations
of
partners.
To
mitigate
this
risk,
organizations
need
to
boost
their
resilience
across
vital
systems
and
processes.
Critical
resources
—
the
crown
jewels
—
need
a
much
higher
level
of
protection.
When
consolidating
vendors,
CISOs
cannot
rely
only
on
those
platforms
to
protect
sensitive
data.
Rather,
they
must
assess
their
environment
to
ensure
that
they
protect
all
aspects
of
the
company’s
sensitive
data.
This
includes
a
review
of
their
own
internal
systems
and
processes.
Adversaries
continue
to
display
endless
creativity
for
getting
inside
targeted
organizations.
Take
the
latest
wave
of
attacks
on
identity
and
access
management
technologies,
such
as
multi-factor
authenticators
and
password
managers.
Threat
actors
have
learned
how
to
deal
with
enhanced
authentication
practices,
making
the
supply
chain
their
attack
vector
once
again.
These
trends
tell
us
the
weaponization
of
trust
will
escalate
and
become
a
common
tactic.
Security
leaders
need
to
assess
their
third-party
relationships
and
think
through
the
areas
that
require
more
security
layers.
While
it’s
not
easy
to
resolve
supply
chain
security,
by
boosting
their
resilience,
organizations
can
more
effectively
protect
against
the
inevitable
attacks.
Lucia Milică
Stacy,
Global
Resident
CISO,
Proofpoint.
About Author
