Is Your Supply Chain Secure? - Security Boulevard

Is Your Supply Chain Secure?

In 2021, there were a number of major supply chain attacks that crippled multiple companies. Think back to the Kaseya attack in July, or, even before that, the SolarWinds attack that came to light in December 2020. In October 2021, Broward Health in Florida was compromised through a third-party supply chain vulnerability.

For many CEOs, Kaseya or SolarWinds might not be familiar names, since many of the companies that use these companies’ services are managed service providers (MSPs) that provide IT support. An MSP, for example, uses Kaseya to manage their client’s computers and you, the CEO, might not even know your MSP was compromised.

A supply chain attack allows the cybercriminals to maximize the damage they cause by attacking not just one or two victims but one company that has connections to hundreds of other companies.

The technical details of the Kaeysa attack can be found here, Kaseya Patches Imminent After Zero-Day Exploits, but the important thing to remember is to know who your suppliers are and what kind of access they have to your data and your networks.

Think about the various vendors you use to keep your company running.

Do you have a payroll provider? If so, you will want to assess the maturity of their security program. You can do that by examining the results of an independent audit, such as a SOC Type II report, to see how they are protecting your data.

Do you have vendor partners who have access to your company network? If so, you want to review how they protect their networks from cybercriminals so that if they are attacked, you don’t become a victim as well.

Do you use an MSP to help you manage your computers? If so, you also want to understand the measures they take to protect you from cybercriminals.

Do they require multifactor authentication (MFA) to access your network? Do they regularly update their computers and network to prevent attacks by cybercriminals using known vulnerabilities? Are they doing the same types of risk reviews you are with their own third-party service providers and vendors?

There’s a lot to consider when assessing the security of your supply chain. You can take a look at an earlier article I wrote about using the NIST cybersecurity framework to get more secure as a starting point.

Can you Become Ransomware-Proof? – Security Boulevard

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks

John Bruggeman

I am a veteran technologist, former CTO and CISO, with nearly 30 years of experience building and running enterprise IT. I have developed and supported information security programs, helping them mature and succeed by using industry standards like ISO27K and NIST CSF.

I am very familiar with regulatory compliance requirements from PCI-DSS, HIPAA, FERPA, A133 to privacy related requirements like GDPR and CCPA. I earned several GIAC certifications (GSEC, GCIH and GCWN) and I am active in the local information security community, through groups like Infragard and the Higher Education Security Council for EDUCAUSE.

Connect on LinkedIn

Visit CBTS Security website

john-bruggeman has 6 posts and counting.See all posts by john-bruggeman