The supply chain cyberattack conundrum: secure consolidation or single point of failure?
When CTS, a managed service provider aimed squarely and uniquely at the legal sector, suffered a cyberattack last month, it was far from the only victim. As recently as 6 December, The Law Society reported that some law firms couldn’t access case management systems. Conveyancers couldn’t complete transactions, and clients couldn’t complete property deals.
This CTS incident, and the supply chain attack that took down more than 60 credit unions across the US last week, expose a particular problem for security teams: how do you secure your suppliers?
Diversifying suppliers
James Watts, Managing Director at Databarracks, argues that the CTS attack highlights the dangers of a single supplier for your critical IT services. Even, as in the case of CTS, that managed service provider (MSP) comes replete with an excellent reputation that its widespread use within the legal sector illustrates.
“MSPs are attractive targets for attacks because a single breach can disrupt hundreds of its customers,” said Watts. “This demonstrates that even solid organisations with a commitment to cybersecurity are not immune to attacks.”
The problem is that any single point of failure represents a weakness in an organisation. But, more often than not, a mix of convenience and cost rule the decision-making roost.
“When you keep all your eggs in one basket, and that supplier suffers a cyberattack or prolonged outage, your business is severely impacted,” adds Watts, who recommends a multi-vendor approach wherever possible as a security golden rule. After all, you use this rule when applied to data storage, so why not data security?
“In the world of supplier risk management, this is fundamental,” Watts concludes. “You diversify your supply chain to stop the failure of any single supplier preventing you from delivering for your customers.”
Delivering this can be as simple as air-gapping people, processes and technology by having distinct suppliers for production and resilience, for example.
What caused the supply chain cyberattacks?
Although it’s yet to be confirmed, reports indicate that the CitrixBleed vulnerability could have opened the doors for the attackers.
Ransomware group LockBit has been particularly associated with this initial access methodology. According to the November BlackFog State of Ransomware report, there were 89 publicly disclosed ransomware attacks that month. This represents the biggest number since the report started in 2020 and a 112% increase over the November 2022 numbers.
Who was behind the majority of these? LockBit and BlackCat.
“No sector can ignore the risk any longer and must establish adequate policies and procedures to mandate minimum protections for any business they work with in the supply chain,” says Darren Williams, CEO at BlackFog, predicting that the upwards trend will likely continue into 2024.
Ultimately, the responsibility over security within your organisation must also extend without. This means visibility over the supply chain must be included in your security positioning.
While you can’t do their jobs for them when it comes to security, you can, and should, contractually require them to meet specific security standards. At the very least, I suggest the NCSC CyberEssentials/CyberEssentials Plus certification.
Just as importantly, mandate regular checks that these standards are being met. If your supplier can’t or won’t agree, then look elsewhere. If your MSP can’t or won’t, run like the clappers…
NEXT UP
Slow buyers cause tech firms to rethink sales approaches as tough Q1 hits home
New research suggests tech sales were slow in Q1, with buyers of technology and professional services taking their time before committing to any solutions.
ByteDance says it has no plans to sell TikTok and refuses to bow to US pressure
ByteDance, the Chinese company that owns TikTok, stated that it “doesn’t have any plans to sell TikTok” on Toutiao, a social media platform that it also happens to own.
Solace Kidisil, Group COO of Nsano: “The difference between traditional finance and fintech is the questions we ask”
We interview Solace Kidisil, Group COO of Nsano, a fintech company from Ghana, offering digital payment solutions across Africa