The supply chain cyberattack conundrum: secure consolidation or single point of failure?

When CTS, a managed service provider aimed squarely and uniquely at the legal sector, suffered a cyberattack last month, it was far from the only victim. As recently as 6 December, The Law Society reported that some law firms couldn’t access case management systems. Conveyancers couldn’t complete transactions, and clients couldn’t complete property deals.

This CTS incident, and the supply chain attack that took down more than 60 credit unions across the US last week, expose a particular problem for security teams: how do you secure your suppliers?

Diversifying suppliers

James Watts, Managing Director at Databarracks, argues that the CTS attack highlights the dangers of a single supplier for your critical IT services. Even, as in the case of CTS, that managed service provider (MSP) comes replete with an excellent reputation that its widespread use within the legal sector illustrates.

“MSPs are attractive targets for attacks because a single breach can disrupt hundreds of its customers,” said Watts. “This demonstrates that even solid organisations with a commitment to cybersecurity are not immune to attacks.”

The problem is that any single point of failure represents a weakness in an organisation. But, more often than not, a mix of convenience and cost rule the decision-making roost.

“When you keep all your eggs in one basket, and that supplier suffers a cyberattack or prolonged outage, your business is severely impacted,” adds Watts, who recommends a multi-vendor approach wherever possible as a security golden rule. After all, you use this rule when applied to data storage, so why not data security?

“In the world of supplier risk management, this is fundamental,” Watts concludes. “You diversify your supply chain to stop the failure of any single supplier preventing you from delivering for your customers.”

Delivering this can be as simple as air-gapping people, processes and technology by having distinct suppliers for production and resilience, for example.

What caused the supply chain cyberattacks?

Although it’s yet to be confirmed, reports indicate that the CitrixBleed vulnerability could have opened the doors for the attackers.

Ransomware group LockBit has been particularly associated with this initial access methodology. According to the November BlackFog State of Ransomware report, there were 89 publicly disclosed ransomware attacks that month. This represents the biggest number since the report started in 2020 and a 112% increase over the November 2022 numbers.

Who was behind the majority of these? LockBit and BlackCat.

“No sector can ignore the risk any longer and must establish adequate policies and procedures to mandate minimum protections for any business they work with in the supply chain,” says Darren Williams, CEO at BlackFog, predicting that the upwards trend will likely continue into 2024.

Ultimately, the responsibility over security within your organisation must also extend without. This means visibility over the supply chain must be included in your security positioning.

While you can’t do their jobs for them when it comes to security, you can, and should, contractually require them to meet specific security standards. At the very least, I suggest the NCSC CyberEssentials/CyberEssentials Plus certification.

Just as importantly, mandate regular checks that these standards are being met. If your supplier can’t or won’t agree, then look elsewhere. If your MSP can’t or won’t, run like the clappers…