Supply Chain Defense
Lessons Learned From the Latest Supply Chain Breaches
Uber, LastPass, DoorDash, and more have all reportedly been recently affected by a breach on a vendor, which led to negative publicity for these companies. They are far from alone — in a recent BlueVoyant survey, 98% of executives surveyed said their organization was negatively impacted by a breach in their supply chain. Here is what you should know from the latest attacks and how to better protect your organization.
A supply chain attack can carry a huge number of implications for any organization. Digital supply chains are made up of the vendors, suppliers, and other third-parties that have network access. Enterprises are only as secure as their weakest third-party link and unfortunately, when this weakness is leveraged by cybercriminals, it can set off a domino effect of security risks with long-term negative impacts on the company finances, reputation, employee welfare and customer’s personal data.
Let’s take a look at Uber — the latest breach, the so-called “UberLeaks”, has allegedly exposed a large amount of company data, including IT asset information, and more than 70,000 employee email addresses. No customer data was reported to be stolen.
Attacks like this open the door to highly targeted spear phishing campaigns, which use the leaked information to send highly believable targeted emails and texts. These messages are designed to steal credentials, money, or other sensitive information. Phishing like this puts Uber and other similarly targeted organizations, plus their employees and stakeholders at greater risk.
This latest attack comes just months after Lapsus$ reportedly accessed the company’s internal network, which has the potential to erode the trust of its stakeholders and customers. According to BlueVoyant's threat intelligence, Lapsus$ is a financially-motivated cyber criminal group that claimed responsibility for reported attacks on Okta, NVIDIA, Samsung, and others.
In that attack, the threat actors used social engineering to get around multi-factor authentication, or MFA. MFA uses multi pieces of information to access an account or system, such as a password and a code from an app. It increases cybersecurity, but was recently reportedly used to attack Uber and Rockstar Games.
The State of Supply Chain Security
BlueVoyant recently surveyed more than 2,000 global C-level executives on supply chain cybersecurity, finding that organizations are still struggling to monitor and prevent negative impacts from vendors and suppliers. Ninety-eight percent of firms surveyed say they have been negatively impacted by a cybersecurity breach that occurred in their supply chain, slightly up from 97% of respondents last year. One reason for this may be that 40% of respondents rely on the third-party vendor or supplier to ensure adequate security, which can leave them vulnerable to breaches.
Outsourcing is one of the fastest growing security risks to an organization’s sensitive data, yet few have the in-house resources and expertise to effectively identify and monitor the cyber risks associated with third parties.
Reducing Supply Chain Risk
Resource constraints are often a key obstacle preventing organizations from ensuring adequate supply chain visibility. Enterprises sometimes struggle to monitor their suppliers continuously, if at all, meaning that weaknesses can’t be identified and remediated as effectively.
Unless companies employ cybersecurity specialists or a similar external service, they may struggle with a lack of expertise in cyber risk management, meaning organizations suffer from gaps in due diligence as their supply chains grow. True and reliable supply chain visibility can not be achieved through ad-hoc assessments required in basic compliance measures.
To understand your supply chain risk, a great first step is knowing your vendors. Understand which ones have network access and to which systems. Also understand which vendors are critical for business continuity. You may be able to reduce data and access given to third-parties if it is not operationally necessary for the service provided.
The next step is to continuously monitor your third-parties. Conducting multifaceted, ongoing monitoring, and assessments is vital as supply chain cybersecurity threats are dynamic.
When weaknesses and security vulnerabilities are identified, remediation must be quick and effective with actionable instructions. The best way to do this is to work with your third-parties or have an outside vendor work with them on your behalf. It is far from sufficient to trust vendors to handle their vulnerabilities on their own. BlueVoyant has observed that cyber attackers are more quickly attacking unpatched systems than in previous years. A nudge from a client or outside vendor working on their behalf can push organizations to remediate quicker. Time to remediate and the percentage of vendors that remediate a vulnerability or misconfiguration improves.
If you find yourself victimized, you can take steps to prevent being victimized again. For example, companies like Uber should work to rotate passwords and credentials of all of their employees as quickly as possible, and ensure that its employees undergo rigorous anti-phishing training to mitigate this extended risk. These awareness campaigns will need to include multiple types of communication to truly protect employees from both corporate and personal phishing attacks. While the risk level is heightened, organizations should also require that important decisions receive sign off from two managers.
Instituting a basic cyber hygiene routine as a standard within your organization will also help mitigate and prevent many risks.
Lorri Janssen-Anessi is Director, External Cyber Assessments at BlueVoyant and Tom Huckle is Director of Information Security & Compliance EMEA for BlueVoyant.