The trouble with your vendor supply chain

Numerous supply chain attacks in recent years have revealed the precarious state of the vendor supply chain. These cyber-attacks impact trusted third-party vendors that offer software or services to a variety of other organizations. The hackers’ goal is to infect or breach an application of an unsecured vendor in the supply chain to access their business partners, steal information, and commit fraud and other criminal activities.

 

The real prize for threat actors launching supply chain attacks, however, is vendors that work with large enterprises, that can become their cash cow if they are able to breach those enterprise businesses through the vendor.  

 

It is often harder and takes more finesse and skill to compromise the systems of large companies because they usually have sophisticated security controls in place. Enterprise businesses these days, especially ones with access to huge amounts of personal data and confidential information, invest a lot of money in protecting those valuable assets. This is particularly true for massive public companies that are held accountable to their investors and must disclose cyber-security incidents.

 

Threat actors know that in contrast, smaller vendors typically have weaker security, which makes them easier to hack. And once hackers compromise these vendors, they can find ways to gain access to the larger companies they work with. Enterprise businesses can only protect themselves from cyber-attacks insofar as they have control over the security of their systems and processes. But when it comes to external vendors that are integrated into their tech stack or business processes, larger enterprises have no way of ensuring that these smaller businesses have the same security protocols in place or can uphold the same security standards. Unsuspecting enterprises, therefore, have become vulnerable to attacks through their unsecure vendors in the supply chain, which can have deleterious effects.  

 

When does this happen?

 

Supply chain attacks are becoming more widespread, and the risks are increasing every year. According to Cybersecurity Ventures, $60 billion will be lost to software supply chain attacks by 2025. In a press release in 2022, Gartner estimated that 45% of organizations worldwide will experience software supply chain attacks by 2025.

 

One of the more notable supply chain attacks in the past few years was the Solarwinds assault. As a third-party supplier to many customers,Solarwinds was an ideal target for threat actors looking to gain access to its network of clients, which the hackers achieved by injecting malicious code into Solarwinds’s monitoring and management software, Orion. Even now, years after the initial attack, the fallout continues to be extensive.  

 

Another example from earlier this year was the hack of the MOVEit Transfer application, which compromised hundreds of organizations in both the private and public sectors worldwide. As a result of using the MOVEit program to transfer information and shared files, hundreds of businesses were compromised by the attack, and the personal data of tens of millions of people was exposed. What is particularly troubling here is the fact that these cases are the harbinger of many more sophisticated supply chain attacks and attempts to come, and the estimated losses are huge.

 

Supply chain attacks: A real risk to business payments

 

Supply chain attacks are made possible by the simple reality that in today’s business world, every company relies on third parties and external partnerships to run their business. Every single company works with vendors, from large suppliers to even the smallest of agencies and individuals.  And for all businesses, there is always a level of risk that comes with working with any third-party vendor.  

 

Vendor management is complex, especially for businesses that work with hundreds or thousands of third-party suppliers. The more vendors a company has, the more susceptible it is to attacks because each of those vendors are a potential point of compromise.

 

From our experience at Trustmi, when it comes to vendors, there is always a high incidence of business email compromise (BEC) and other cyber-attacks, and generative AI has made these attacks more sophisticated and effective. From a fraud perspective, the high quality of these attacks has made it almost impossible for people to tell the difference between real vendor communications and fraud attempts.  

 

We also know that one of the leading areas of vendor compromise is business payment fraud. At Trustmi we see this happening time and time again through supply chain attacks. From vendor impersonation to direct attacks on ERP systems, the goal of the bad actor is to change vendor information and trick enterprises into sending payments meant for their vendors to the fraudster’s account.  

 

Where controls fail

 

Unfortunately, the current approach to protecting the supply chain isn’t working. Currently, risk management is assessed through a questionnaire that is filled out when a vendor first begins working with a company.  During this process, the security team or chief information security officer receives a request from someone within the organization asking them to assess the vendor. At the time the vendor is first reviewed, the scope of the vendor’s access to sensitive information is specific and typically limited. However, the assessment process doesn’t consider that the vendor’s access to confidential data or the scope of its work may increase over time. When this happens, security teams are not alerted and therefore do not run an updated security assessment to ensure the vendor is meeting security requirements for the increased access. In this way, companies open themselves up to cyber-attacks on their supply chain by not monitoring and enforcing proper security protocols and controls for their vendors.

 

What real supply chain protection looks like

 

To fully protect themselves from supply chain attacks, companies must use AI technology that can efficiently manage and secure every vendor in the supply chain. The right solution must identify all vendors, provide full visibility into vendor management, monitor vendor activities, track and control their permissions and access to internal systems, and enforce security practices. It also needs to manage vendor profiles and changes to their payment information.

 

Trustmi offers a comprehensive solution that does all this and more. Our vendor onboarding product is an easy self-service portal to help set up vendors securely and add them to our Trust Network. Our module for vendor lifecycle management strengthens the security of the supply chain, so enterprises can have confidence that their vendors are always protected.

 

Contact us today to see a demo of our products and learn how Trustmi can help you streamline and secure the management of your supply chain so that you don’t lose any money to fraud, and your vendors always get paid the right amount on time.

---

by Shai Gabay, CEO and Co-founder, Trustmi