3rd Party Vendors: You're Only As Secure As Your Weakest Link

A company is only as secure as its weakest link. But what if the weakest link isn't at the company at all, but rather one of its third-party vendors? A company can reinforce its own security posture by training its staff and implementing the latest tech, but it still has to provide access and share information with its suppliers, and its suppliers’ suppliers, and so on along the chain. With each degree of separation, the company has less control over its suppliers’ security – especially small suppliers lacking security controls. But when there is a data breach, no matter how far along in the supply chain (e.g. even if it's your vendor's vendor's vendor), you yourself bear the consequences.

This was the case with Target in 2015, that suffered a massive data breach when malicious actors got into Target's system via one of its suppliers, a mom-and-pop HVAC cleaner. The financial impact to Target and its customers was high, the reputation impact even higher. More recently it was the case when the US Treasury Board was compromised via its supplier, SolarWinds.

Third party vendor attacks are not rare events.  Since 2017 working for several IT security companies I would venture that 1 out of every 3 data breaches I have read about came down to a security breach via a less well-guarded vendor. But don't take my word for it - a survey found that nearly 60% of companies in 2018 were the victim of third-party data breaches, a notable increase over the previous year. More recently, Black Kite tracks a comprehensive list of third party vendor breaches. ​

In this article, let's look at a list of supply-chain attack "greatest hits" over the last few years, as well as some insights into the market opportunity that software companies and IT leaders have if they can solve this yet-unsolved problem. 

Third Party Vendor Security Breaches In Recent Years

One of the biggest third-party vendor security breaches (also called supply-chain breaches) in history is the Target data breach of 2015, where hackers stole 40 million credit cards from Target. The hackers were able to access this data by going through its third-party HVAC supplier. Nobody remembers the HVAC company’s name, but everyone remembers Target. The breach cost Target over $200 million, plus on-going continued reputation damage to this day.

In 2020, the US Treasury Department was compromised by threat group APT29 (Cozy Bear/Russian SVR) via its supplier SolarWinds. The perpetrator used a clever back-door attack to ingest malware into the SolarWinds software updates.​ At the time of writing, the extent of any damage is not known to the public. The reputation damage to SolarWinds however is evident. Weeks after the news broke, SolarWinds had already announced a rebrand, changing its company name entirely. 

The SolarWinds breach highlights that while the weak link can be a small, unsophisticated mom-and-pop HVAC supplier, even very large suppliers like SolarWinds (a $900M IT Services firm with over 3,000 employees) are a risk.

Similarly, Deloitte and Accenture, widely regarded as experts in data protection and both paid handsomely to advise on security, were suppliers who suffered egregious breaches, allowing malicious actors to compromise their clients. Deloitte's blue chip customers' information was stolen. The hacker compromised the firm’s global email server through an administrator’s account that gave them privileged, unrestricted “access to all areas”. Accenture inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers.

Here are some other supply-chain security incidents reported in recent years:

• Quest Diagnostics and LabCorp each confirmed a massive data breach in June 2019. The reason is that they both used the same third-party billing services vendor American Medical Collection Agency (AMCA) which was hacked, with over 20 million patients’ sensitive information breached. Quest and LabCorp now face a variety of breach lawsuits and state investigations, and AMCA filed for bankruptcy over the incident.

 

• DoorDash announced that 4.9 million users had their information stolen due to a third-party service provider.

 

• Walmart exposed personal data of 1.3 million customers due to its supplier, MBM Company Inc., that put the customer data in an Amazon S3 bucket named "walmartsql" that was accessible by the public. Other companies that MBM did business with included Amazon, Sears, Kmart, Target, Overstock and more, leading to suspicions that they may have also exposed those companies' data as well.  

 

• Verizon’s data breach affected six million customer records, caused by Nice Systems, a provider of customer service analytics. Nice put six months of customer service call logs, which included account and personal information, on a public Amazon S3 storage server.

 

• Scottrade Bank acknowledged a data breach that exposed the personal information of 20,000 of its customers because a third party vendor uploaded a file to a server without adequate cybersecurity protections.

 

• Italian bank UniCredit had their accounts hacked through one of their third party vendors that led to the exposure of 400,000 customer loan accounts. 

 

• The Republican National Committee in the United States leaked the personal data of 200 million voters because a small marketing firm it had engaged that was accidentally putting the data on a publicly accessible server.

​

• Health Share of Oregon, the state's largest Medicaid coordinated care organization, exposed personally identifiable information (PII) of 654,362 of its members, including names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID numbers. The breach did not occur at Health Share of Oregon itself, however. The office of one of its suppliers, GridWords IC, a medical transportation company, was burglarized and a laptop with this data was stolen.

 

• Orsegups Participações, a Brazilian firm describing itself as a leading company in the security sector, leaked more than 25 GB of client and staff data due to a server configuration failure, revealing clients' contract values and staff information. Like the Accenture and Deloitte examples, it is particularly embarrassing when a security services expert is the supplier at fault. 

 
GDPR and CCPA Hold You Responsible For Data Breaches due to Your Suppliers

Companies are now held to higher regulatory standards of data privacy thanks to the widespread enactment of GDPR, CCPA, and other regimes like them. If you are breached and risk a fine due to one of your 3rd party suppliers, you don't pass on the responsibility to them. You are still responsible for the breach of your customers' data. Add this to the already rampant data breaches cited above and large organizations especially find themselves in a pressure cooker. 


Basic Hygiene: Education, Contracts and Auditing
 
At a CIO roundtable I attended, supply-chain security surfaced unanimously as a source of breaches that was important and to which there was no good solution yet. It starts with basic security "hygiene": putting fundamental controls in place, educating your staff, patching your systems - and diligently requiring the same of your suppliers.

Indeed, enterprises are demanding stronger contractual terms with suppliers, in terms of the security they require of their vendors, and the legal and financial consequences of a breach. This transition is occurring at a slow pace however. Large enterprises already have thousands of vendors and are not in a position to easily re-negotiate contractual terms with all of them. It's also a necessary but not sufficient step, as enhanced contractual terms might provide some financial and legal compensation after-the-fact (although even this is highly dependent on the size of the vendor and the jurisdiction in which they would be held accountable), but may not be effective at preventing breaches. And despite any contractual relief, the responsibility of a breach will mainly be borne by the company itself, moreso than the supplier, when you factor in long-standing reputation damage.
 
Finally, just because a supplier is agreeable and willing, that doesn’t mean their data protection controls are up to par. Suppliers are focused on winning your business, not protecting your IP. Security audits of a supplier are costly, and even if they are theoretically meeting industry standards, the standards themselves are generic enough ("use encryption", "use access control") that a successful audit is no guarantee of a supplier's security.
 
Vendor Risk Management Platforms: Are They Effective?

I find it quite crazy that Vendor Risk Management solutions are focused on automating the vendor compliance questionnaires and then doing automated monitoring of their suppliers security postures. It seems very basic to me, yet the procurement space is probably so immature and focuses so much on just basic due diligence that this is already a major step up from their total manual paper-based approach today.

This Gartner paper lists the leaders in vendor risk management and they are all doing the same "automating workflows for assessing and managing vendor risk"

• Allgress
• Dell Technologies (RSA)
• Lockpath
• MetricStream
• Ncontracts
• Optiv Security
• Prevalent
• ProcessUnity
• Quantivate
• Rsam
• SAI Global

Another approach to streamline the certification and auditing of vendors, third party registries have emerged that audit and certify vendors for you. One example is Vendorpedia that certifies third party vendors comply with standards such as GDPR, NIST, and ITAR. The idea is that as an enterprise, you would not have to audit all of your suppliers yourself, but simply require any supplier to show proof of certification and audit from one of these registries. But there are many problems here. A third party registry is only useful if it reaches a critical mass of vendors, which will take a long time. 

CISO or Procurement: Whose Responsibility Is 3rd Party Security?

Even beyond technological solutions, there is a  the security team focuses on securing the company's own perimeter and data but is at a bit of a loss going beyond their own four walls, and the procurement team that actually manages the suppliers is just focused on checklists and governance. As the problem gets more and more attention, it's not clear to me yet who will own the problem - chief security officers or chief procurement officers?
 
Technology Solutions for Supply Chain Security
 
Persistent Encryption

Beyond the basics of encrypting data at rest and in transit, persistent encryption has been on the rise to solve supply-chain security and other "last mile" data protection problems. Persistent protections would encrypt and protect sensitive e-mail, files and other transient data wherever they go. Even if they fall into the wrong hands - say, a supplier's hands, or a hacker's hands - they are still protected. 

A traditional form of persistent protection is digital rights management (DRM). This is offered by Microsoft Azure Information Protection (a combination of its acquisition of SecureIslands and its traditional RMS encryption product). HelpSystems has also made investments in DRM by acquiring Vera, to be used in conjunction with Titus or Boldon James classification. Virtru provides DRM in partnership with Google. Unfortunately, DRM suffers from many practical drawbacks, as I detail in Solving Data Breaches Means Solving The Rampant Problem of Insider Threats. This includes user experience and data "outage" problems where you can't easily retrieve critical data, severe limits on data types that can be protected, and perhaps most critically in the context of supply-chain security: lack of interoperability with suppliers. After 20 years of DRM, there are few success stories.

The door is still open to a technology innovator who could provide persistent encryption in an innovative way that spares the problems of DRM. One promising company I have worked with is SecureCircle, a zero-trust solution with a novel approach to persistent encryption. 

Enhanced VDI

Persistent encryption can protect data that flows into suppliers' hands, but it doesn't solve all forms of supply-chain attacks. A more hard-line approach that some enterprises take is to ship secured laptops to their third parties and require the third parties to only work on those laptops. Others require that their suppliers work in a locked down virtual space using VDI. These solutions are burdensome, slowing down productivity, and have a hard time scaling across thousands of suppliers, especially in a COVID-driven world of all remote work.

But new forms of secure virtual machines and VM orchestration are surfacing, such as Tehama.io (read about their take on the SolarWinds breach and how Tehama could have prevented it here).

Supply-Chain Security: A Market Opportunity Like No Other

“No one’s personally identifiable information (PII) is safe. Companies can’t count on the integrity of their suppliers’ and partners’ security capabilities”, CSO Online says. Expect more companies to demand security audits of their partners, suppliers, and service providers. Third-party breaches are becoming more common, and it shows that any organization’s security is only as good as its extended network.”

For security software vendors and IT/IS professionals alike, supply chain security represents a massive untapped market opportunity. Google search for "supply chain security solutions" and few credible options come up, which is especially striking in today's very noisy security market where vendors are shouting from the rooftops about a solution for just about everything. For a security company looking to differentiate itself and truly solve a market problem, look no further than supply-chain security. 

Related reading:

• Solving Data Breaches Means Solving The Rampant Problem of Insider Threats
• 10 Ways To Predict Customer Demand​
• Strategic Initiative? Lead with a Single-Threaded Owner

​