In 2021, there were a number of major supply chain attacks that crippled multiple companies. Think back to the Kaseya attack in July, or, even before that, the SolarWinds attack that came to light in December 2020. In October 2021, Broward Health in Florida was compromised through a third-party supply chain vulnerability.
For many CEOs, Kaseya or SolarWinds might not be familiar names, since many of the companies that use these companies’ services are managed service providers (MSPs) that provide IT support. An MSP, for example, uses Kaseya to manage their client’s computers and you, the CEO, might not even know your MSP was compromised.
A supply chain attack allows the cybercriminals to maximize the damage they cause by attacking not just one or two victims but one company that has connections to hundreds of other companies.
The technical details of the Kaeysa attack can be found here, Kaseya Patches Imminent After Zero-Day Exploits, but the important thing to remember is to know who your suppliers are and what kind of access they have to your data and your networks.
Think about the various vendors you use to keep your company running.
Do you have a payroll provider? If so, you will want to assess the maturity of their security program. You can do that by examining the results of an independent audit, such as a SOC Type II report, to see how they are protecting your data.
Do you have vendor partners who have access to your company network? If so, you want to review how they protect their networks from cybercriminals so that if they are attacked, you don’t become a victim as well.
Do you use an MSP to help you manage your computers? If so, you also want to understand the measures they take to protect you from cybercriminals.
Do they require multifactor authentication (MFA) to access your network? Do they regularly update their computers and network to prevent attacks by cybercriminals using known vulnerabilities? Are they doing the same types of risk reviews you are with their own third-party service providers and vendors?
There’s a lot to consider when assessing the security of your supply chain. You can take a look at an earlier article I wrote about using the NIST cybersecurity framework to get more secure as a starting point.