In 2022 Supply Chain Security Needs to Be Top of Mind

As we begin a new year, it’s time to reflect on the strengths and weaknesses of our cybersecurity posture. Now more than ever, it’s important to look at the big picture. The recent Log4j exploit serves as a reminder that supply chain security planning is a gap in many cybersecurity programs and one that requires increasing attention from executive teams. Why? The Log4j vulnerability is used in technology supply chain attacks — where criminals leverage a weakness in a technology supplier to access and breach any customer using a vulnerable product/service. A staggering number of organizations, systems, and services are vulnerable to this exploit. Organizations such as SAP, Apple, Tesla, VMWare, Cisco, and many others scrambled (and are still scrambling — IBM is posting an almost daily list as they confirm which of their products are or are not impacted) to patch their software and roll out patches to fix vulnerabilities in their products.

This Log4j exploit is especially concerning since it is a commonly used Java-based logging library that is incorporated into many software programs — you may not even know if the products or software you use are impacted unless your supplier or partner tells you. With criminals leveraging exploits like this to worm their way into every integrated partner and connected environment in a supply chain, one breached partner can result in criminals breaching hundreds or thousands of environments.

The FTC Just Upped the Ante on Supply Chain Security

The consequences from supplier exploits just increased with the FTC’s recent warning that organizations must take reasonable steps to secure customer data from Log4j and other known vulnerabilities or face potential legal action. In today’s digital world where every organization uses myriad software programs, web apps, and cloud platforms — and may even directly integrate with partners’ systems — partners and vendors are a crucial part of every organization’s cybersecurity.

Reduce Your Supply Chain Security Risks

Due to the interconnected nature of the supply chain, we all have to work together to reduce supply chain risks. So how can we all limit our exposure?

• Start with an inventory of what partners have access to your environment and the software and/or systems your organization uses. You can’t secure your environment until you understand your exposure.
• Limit access. You can cut down on your work and your supply chain security risks by limiting suppliers’ access to your IT resources and sensitive data. Often, suppliers have more access than they really need and consequently pose more risk to your organization than necessary. Conduct a review of supplier access at least annually, and limit access to the minimum necessary for them to get the job done.
• Establish clear, documented standards for your own organization and your suppliers. Common frameworks such as ISO27001 or the NIST Cybersecurity Framework are excellent starting points for establishing baseline standards. You can also download this supply chain security checklist to help provide a framework for your program.
• Delegate cybersecurity requirements to vendors in your contracts to ensure mutual understanding and commitment. Also, when necessary, document requests for improvements and set a deadline. Make it a contractual requirement that all your vendors and partners provide you with timely notice if they are impacted by a breach or a major exploit.
• Vet your vendors routinely, both during the new vendor selection process and at regular intervals. Ask your suppliers/prospective suppliers about their security and ensure that they meet your standards.
• Ensure that your suppliers are actively vetting their supply chain (fourth- and even fifth-party risks are real and have led to many data breaches and cybersecurity incidents). The NIST Cybersecurity Framework includes a subsection for supply chain risk management (ID.SC); suppliers that use this as their controls framework will have a good foundation for implementing their own vetting programs.
• Involve key suppliers in your response planning. Establish a strong understanding of the cybersecurity processes for each of your key suppliers and create joint action plans in case of an exploit or incident. This process can identify and close potential gaps, as well as provide a framework that speeds response in case there is an incident (you could even involve them in your tabletop incident response exercises).
• Get vendor buy-in on standard software vulnerability management processes, such as critical software patches. As criminals target supply chain weaknesses, limit your exposure with a strong patch and update management program. Quickly applying security updates can decrease your risk of supply chain software breaches.

Successful Vendor Vetting, One Step at a Time

Vetting your vendors can seem like a daunting challenge, but by taking an efficient, methodical approach you can make it manageable. Whether you conduct vendor vetting in-house, outsource it, or automate it with the support of software programs, this is a crucial part of reducing your risks. Remember: aim for progress, not perfection. Focus on documenting your processes, creating templates, and establishing more consistent vendor security review routines. Here are a few key tips for breaking the problem down into manageable pieces:

• Assign responsibility for vendor vetting to one individual or team. Ensure that there is a point person or team responsible for documenting, overseeing internal and external communications, reviewing responses, and determining next steps for your program.
• Prioritize vetting your suppliers based on their access to your sensitive data and/or network resources. Identify suppliers that store or process sensitive data on your behalf or have a high degree of access to your IT resources. Focus on vetting these organizations first.
• Establish a standard cybersecurity questionnaire. This will streamline your process and ensure you get the information you need to make informed risk decisions.
• Set a clear timetable for vendor reviews and responses. Remember, it’s not enough to review a supplier once — you need to regularly check your supplier’s risk profile, especially since the cybersecurity threat landscape is constantly changing.
• Give your suppliers a deadline for notification and response so that you can coordinate your own response and public relations efforts. Ensure that your responsible person/team tracks and follows up with all notifications.
• Request third-party security assessments. If you’re pressed for time or resources, some suppliers already undergo their own third-party security assessments. This is particularly true of suppliers that support customers in highly regulated industries, such as healthcare or financial services. Proactively ask to see summaries or evidence of annual cybersecurity reports, such as penetration testing results, risk assessments, SOC-2 assessments, etc. If the supplier cannot or will not provide a report, or at least a summary/letter of attestation, consider that a red flag.
• When a major exploit is announced (like Log4j), proactively check with your high-priority vendors to ensure they are applying the appropriate updates. Read this article on patch management for more details and advice.

We hope you found these tips helpful to start or grow your supply chain security program. With supply chain attacks offering the opportunity to breach numerous environments, criminals will continue to seek and exploit this method of attack. If we all work together, we can strengthen our collective cybersecurity posture in 2022.