Skip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

What risks do your supply chain partners pose?

By 27 June 2024 Blog
Hoe gevaarlijk zijn úw ketenpartners? Een aanval op uw bedrijf via ketenpartners. Dat klinkt misschien vreemd, maar deze aanvalsstrategie wordt steeds vaker gebruikt. Wanneer een organisatie zelf niet direct kwetsbaar is, dan wordt er geprobeerd om binnen te komen via de zwakste schakel. In dit artikel kunt u lezen welke gevaren een bedrijf kan lopen wanneer een aanval als deze via ketenpartners plaatsvindt. What risks do your supply chain partners pose? An attack on your business through supply chain partners. It may sound strange, but this attack strategy is becoming more common. When an organization itself is not directly vulnerable, an attempt is made to get in through the weakest link. In this article, you can read about the dangers that a company can face when an attack like this occurs through supply chain partners .

Attacks on organizations by cybercriminals are increasingly often deployed through supply chain partners. This way of attacking is not a recent cyber threat, but it is one that is being used more and more. If an organization is not directly vulnerable itself, it will be attempted to enter the organization through the weakest link, which could be your supply chain partner! Even big companies with well-organized cybersecurity, could be hit. What dangers does your company face? And how can you manage them?

It pops up immediately if you enter ‘SolarWinds’ into Google: “Trusted by Over 150K Worldwide.” Trust is what our economy runs on, but sometimes it can lead to big blunders.

And precisely SolarWinds, which supplies software for monitoring server parks, is a harrowing example of such. Immediately after the company released a new update, it was installed by all of those thousands of customers: American federal departments, secret services, armed forces, most Fortune 500 companies, financial institutions, NASA, Microsoft, Intel, Cisco … and so on. But together with this update, malware entered, which allowed hackers to look around in the affected organizations.

All of those companies will have had extensive security programs against cyberattacks. But for SolarWind’s update, a trusted partner, they left the back door right open.

Because of this, we will take a look at the IT dangers your company might face through the supply chain partners in this blog. Plus how to deal with that as an executive, especially seeing as you can be held personally responsible in specific cases when NIS 2 has gone into effect.

Danger 1: the vendor does not do what he says

A true story: a company had outsourced its IT to a specialized service provider. In the contract, it was also laid down that at certain times, backups would be made of the company’s data. But someone at the service provider had forgotten to turn that on.

Two years later the company was hit by a ransomware attack. People remained calm because there were backups, right? But that peace of mind did not last long …

Advice: check whether everything that is agreed upon is actually being done! So, request service level reports, and confirm the contents by also requesting the supporting evidence. Agree with the vendor that recovery tests are being performed, and actively check the recovered data for readability and correctness. Don’t just do that once, but at set times. It is your responsibility to organize this. 

Danger 2: unknown users on your network

Systems for air conditioning, entrance gates and video surveillance are outsourced increasingly often. That provides advantages, but also brings risks. Remember, you are not the only one outsourcing services.

Maybe you purchase the air conditioning from company 1, which outsources maintenance to company 2, which in turn sources employees from company 3. Those are the people setting up your air conditioning with access to your network. Do you know who you are bringing into your company? And whether they work safely?

Employees at Uber could tell you more about this: a hacker acquired the password which gave a vendor access to various systems on Uber’s network, such as the dashboard used to track and report IT vulnerabilities …

Advice: make sure that you know who can access your data. Ask for the names of persons for whom access is absolutely necessary, demand that they are screened, and only provide access to these persons at times when it is actually needed. In addition, it is advised to monitor these accounts. Make certain that those companies have taken the right measures to prevent problems. Also restrict access (if possible) after the necessary work has been done. All of this should be described in a contract with your (main) contractor.

Danger 3: risky components in your products

The supply chains in production processes keep growing. Take the chips being used in more and more products. Chip suppliers are having their products made elsewhere, and other companies are employed for the software. If one company in that supply chain introduces vulnerabilities, it affects the end product.

The risk is even bigger with software than hardware: the SolarWinds hack falls under this category, but what could also happen is an IT service provider embedding a malicious update from a software developer in its own product and releases it to its customers. Examples in this category just keep coming. Besides that, the number of OT and IoT devices connected to networks is increasing, increasing the risk of an incident taking place.

Advice: know your partners, and check them, just like with the second danger. And test your products again and again, and extensively. Require your vendors to put the right requirements in place for their own vendors. 

Danger 4: outdated custom software

Are your company’s systems still being renewed? A lot of systems date from the nineties, when consistent attention to security was not a thing. Especially in manufacturing environments there are examples of custom software that is several years old, and cannot be updated anymore. In other cases the vendor might not exist anymore, or asks extortionate amounts to update the system’s security. In the end, changing vendors is even more expensive or requires big changes in business processes. And the system works though, right?

Old software does not have to be a disaster. Old POS systems can all be put onto a separated network which no one can access, with a single, heavily secured connection to the rest of the company. You can minimize the risk like this – but a lot of companies are unaware of the risk and leave the door wide open.

Advice: make sure that you know the weak spots in your company’s systems, both on the office side as well as in production. Hide them as well as you can, until you are actually able to replace these systems.

Business continuity

The advice given above comes down to the same every time: make sure that you know your supply chain partners’ risks, and try to minimize them. That is nothing new. It is also part of ISO 27001, for example. In the finance industry, supply chain management has been one of four biggest priorities for years, and now in NIS 2, too, supply chain management specifically is listed as an important consideration.

And yet … audits often show that companies are falling short. Contracts with supply chain partners are old, never updated, and in the worst case no one knows where they are. Has confidentiality with regard to sensitive data been confirmed? Are people notified in the event of a data breach at a vendor? No agreements have been made about that. Are vendors’ services monitored, and are vendors called upon if the services they are delivering are faulty or underperforming? Have vendors been given 24/7 access and accounts with high privileges, just to perform maintenance work? No idea.

Generally, the procurement department considers the aspects of importance to the primary business processes, such as price and quality, when it enters into contracts. But what does it cost your company when it is shut down for weeks by a ransomware attack? Or when your clients are damaged by a harmful component in your product?

Those are business continuity matters. And thus, the board’s matters. Because the buck stops here.