The SolarWinds breach – managing supply chain risk effectively
Blog: Capgemini CTO Blog
It has been a bad end to a rough year, and I am not just talking about the new Coronavirus strain currently making its way around the world. A hack at a prominent cybersecurity firm has highlighted the challenges organizations face in securing their business ecosystem of customers and suppliers, and comes on top of the disruption cybersecurity teams face with extending perimeters of the organization into their employees’ home offices.
Why is the SolarWinds hack a concern?
Recognized by analysts as a leader in the industry, SolarWinds is an outstanding provider of network performance monitoring and diagnostics tools. Orion – their flagship product – was breached and had backdoors inserted in the application, enabling the attackers to gain privileged access to the networks where Orion is installed. This is called a supply chain attack, where the intended target is the victim’s user/customer.
Being in control of a network monitoring system is like having the keys to the kingdom. These tools typically provide privileged access to not only your organization’s data but also your customers’ sensitive data and information. The fallout of the SolarWinds hack has been several high-profile targets, including federal agencies, tech companies, hospitals, and universities.
How do you protect your organization?
Firstly, I highly recommend reading the security advisory from SolarWinds to understand what went wrong and how to secure your organization.
The key takeaway from this incident advises the need for an immediate review and reassessment of your supply chain for cyber risks. Start with the basics – create an inventory of your suppliers and service providers, reassess their risk profile, and craft a risk management program aligned to their risk profile.
Most third-party risk management programs focus on the risk to a supplier’s services, especially when delivering products to customers. However, other risk factors, such as cyber threats, privacy risks, etc., should also be considered. For example, a former employee from the IT Dept who continues to provide critical technical support may not feature in a typical list of third parties who are assessed as a part of the risk management program. Likewise, an attorney’s office dealing with a high-profile acquisition or the logistics service provider who has been given the customer data for shipping Christmas gifts may not be included in any risk assessment.
These examples pose a potential vulnerability for cyber-attacks and come with consequences ranging from minor inconveniences to regulatory fines. This means it is vital to look at every third party that forms a part of your service delivery.
The need for supply chain risk readiness
The American Institute of Certified Public Accountants (AICPA) recently launched a System and Organization Controls (SOC) for a supply chain that provides a new risk reporting framework to help manufacturers, producers, distribution companies, and their customers and business partners identify, assess, and address supply chain risks while underscoring the need for a holistic supply chain risk management approach.
The International Organization for Standardization (ISO) has also released a four-part standard for “Information Security for Supplier Relationships,” that examines ways to help ensure you are protected against potential threats. Part 3, in particular, focuses on Guidelines for Information and Communication Technology supply chain security.
Make it a safe and secure 2021
As the New Year begins, make a resolution to reassess your supplier risk management program. This will ensure that you are better prepared to handle any challenges that may arise from your third parties.
To find out how Capgemini’s third-party risk management services can help your organization stay on top of information risks from the supply chain, contact Geetha Jayaraman.
Geetha Jayaraman helps organizations leverage their use of technology by managing risks to achieve organizational objectives. She uses her experience to facilitate the digital transformation of organizations through the adoption of the right technology solutions. As an expert in cybersecurity, Geetha has guided many organizations in balancing risk with the adoption of technologies. Prior to her current role in Information Risk Assurance at Capgemini, she worked with several large technology service providers to bridge business objectives with ICT solutions.