Uncategorized

3rd Party Software And Supply Chains are A Goldmine of Knowledge

The widespread usage of 3rd party software means that they are the prime target for hackers. Once they infiltrate one system, then they have access to thousands of others. For example, the Kaseya hack. As their VSA platform is repurposed and sold by other smaller resellers means the reach for hackers is limitless. It is pretty much guaranteed that the resellers will not prioritize cyber security in their products and services.
We all know that data security obviously does not just exist on your own IT system. As we are all aware, your own data systems are hard enough to keep secure let alone those of your direct suppliers, 3rd party vendors and the Cloud. As the US Federal Government discovered, the recent SolarWinds failure is an obvious example of a direct supplier providing inferior products. Another recent and notable example is the Apple ransomware attack where Intellectual Property (IP) was stolen through the systems at one of Apple’s premier suppliers, Quanta Computers in Taiwan. Even without these more notable examples, your firm/nation might have the resources to keep up with software updates and patches, but your suppliers may not.
The threat that your firm/governments data could be compromised due to inept security protocol by vendors and suppliers is of paramount concern. Add in the continued growth of cloud computing and despite all your best efforts, there are humungous gaps in your supply pipeline. On the cloud, your firm is quite simply at the mercy of the Cloud Service Providers (CSP) security system. Further, E2E encryption is limited in it’s capabilities and only protects data during transfer. If you are running AI experiments on the cloud, then none of the data is protected as E2E encryption does not protect data in use or at rest. Further, E2E encryption will be obsolete in the quantum computing era.
UMBRA is expert at monitoring the supply chain
A recent research report surveyed over 1500 CISOs, CIOs, and Chief Procurement Officers from USA, UK, Singapore, Switzerland and Mexico to gain insights into how they are managing cyber risk within their supply chain.
The key findings were as follows:
  • 77% have limited visibility around their third-party vendors
  • 2.7 is the average number of breaches experienced in the past 12 months
  • 80% have suffered a third-party related breach in the past 12 months

Beyond human error, the number one cause for data security breaches is through 3rd party vendors and suppliers. Your firm/nation can take all the precautions possible and implement all the top security software and deliver the best training programs, but it is unlikely your suppliers can implement all the same data security protocols (or cannot afford too) so therefore, 3rd parties will always present a weakness.

Secondly, compatibility of software products as we all know is a substantive problem. We have all had to deal with firewalls and network systems that do not facilitate integration of software products. This lack of holistic software solutions is a significant factor moving forward for all firms/nations.

The final major problem is that software updates and patches are not always identified and updated in a timely or rigorous manner. It is not hard to imagine a hack being identified and not addressed or a virus patch being ignored. Also, data security professionals are few. It is unlikely that many 3rd party suppliers have a data security professional on the payroll and are relying on an IT generalist for their protection.

The bottom-line is that any weakness within one of your suppliers can have a monumental impact on your operations. For example, a ransomware attack on a part supplier could shut down your entire production line. Or in the advent of a data hack, the loss of Intellectual Property. Or maybe even catastrophic failure in the area of shipping or aviation if a satellite service was breached. The risks and costs associated with the hacks are potentially astronomical.

UMBRA’s level of threat intelligence and monitoring is without equal.

From the Shadows Emerge Knowledge