It's not a call you want to get. One of your suppliers is in touch to let you know they have been victimized by a cyber-attack. Whether it was ransomware or a phishing scheme or just a malicious file that someone clicked on, you immediately start thinking about the ramifications for your business. Does this mean you've been hacked, too? Did malicious actors get access to your systems through your integrations with the supplier? How vulnerable are you? Should you stop opening emails from them? How will that impact your operation? And what do you need to do about it?
Here's our advice. To protect yourself and your systems from the vulnerabilities introduced by the compromise of your supplier, you should take the following steps: Sweep your systems for any trace of unauthorized access; Meet with the supplier to figure out exactly what happened and how it might have affected you; Take action if you have been impacted; And, undertake a full audit of your supply chain to ensure that you are on top of any vulnerabilities before they become liabilities. More on each of those below.
Getting Full Disclosure from Your Supplier
Then comes the hard-nosed bit that your supplier may push back on. You need to demand a sit down with them to have a full and frank conversation about the breach and how it happened. It's probably a good idea for you to suggest doing so under the terms of an NDA so that your supplier (who will already be feeling in a vulnerable position) doesn't need to worry that you'll be telling tales out of school.
Make it clear to them from the outset that the goal is to fully understand so your team can do investigations on your own systems. Be upfront with them. Tell them, "I need to know what happened, so I can understand my risk." You don’t know yet whether you will be required to take punitive measures, because you don’t know yet what the cost will be. Costs beyond an impact to your operation, like compliance fines, or fees from cyber-insurance providers or incident responders could still be forthcoming.
The regulatory language for this relationship is that your supplier is, in fact, a "subservice provider." A subservice provider is a vendor whose services are necessary to the primary organization's delivery of services and the meeting of its commitments. As a result, the role of subservice providers in your organization's operations needs to be taken into account when compliance is an issue.
After a breach, you'll need to ensure that your subservice provider fills out up-to-date vendor due diligence forms to ensure that both they and you are compliant with all relevant regulations. Of course, if you aren’t getting a response from them, you’ll need to go to the next step...
Isolate and Protect Your System
First thing's first: protect yourself - suspend access for your supplier until information is clear and you’ve run an investigation.
Any access that your supplier had to your systems needs to be controlled, tracked and shut down pronto. Cut off their VPN access, shut down user privileges, change their passwords. Everything, all of it, gets turned off.
Next, even if they are reporting to you that they handled it - and what else are they going to tell you? - you need to dial back their access. Period. These restrictions will need to last for the foreseeable future.
You'll need to check your systems aggressively to ensure the breach on their end didn't lead to a breach on yours.
Lockdown your system and institute a full sweep. Check your logs and have your provider double-check them. From top to bottom, screen your files and programs on the assumption that they've been compromised. Better to be overzealous and come up with nothing after a thorough search than fail to look hard enough and have undetected malware come back to bite you down the road. Also, just as you changed all of your suppliers' passwords, you'll need to do the same for all internal users.
For more steps like these that you can apply to other incidents, check out our Elite SMB Incident Response Guide.
Audit Your Supply Chain
Finally, take this opportunity to do a full supply chain audit. Let this experience serve as a wake-up call. Take the initiative to run a security risk audit on all of your vendors.
Don't forget to take into account all possible providers, even those you might not think about or even realize at first you use. What do I mean? Take Apollo as an example.
Apollo is a sales intelligence and engagement plugin that integrates with your LinkedIn, Gmail, Outlook, Salesforce, HubSpot, SendGrid, Marketo, and other programs. In late 2018, Apollo reported a massive breach that left a “staggering amount” of records—up to 125 million email addresses and nine billion data points—exposed to malicious actors.
If you heard about this breach today, would you know whether your company or your staff use this plugin? Do you know all the software and integrations that, for example, your marketing department uses and has access to? Probably not.
Because a plugin like Apollo provides a service to your business, you need to consider it a supplier, treating it as you would any other supplier who suffered a breach. You need to be on breach notification lists for any of these programs, whether they be browser plugins or SaaS providers. Failing to do so can mean unintentionally opening up your company to vulnerability.
How ActZero Can Simplify Your Life
If all of this sounds like a huge burden and difficult to keep track of, you're not wrong. But the good news is that ActZero can help simplify things for you. We are typically the first call in scenarios like this and help with vendor management and due diligence of suppliers with our vCISO team. We deal with breaches every day and want to ensure clients don’t mishandle security issues putting them at operational or undue liability risks.
You can also take advantage of our Virtual CISO (vCISO) program, and benefit from the services of an experienced security leader for as many hours as you choose to invest in per quarter. Your vCISO can advise you on building the policies, frameworks, and KPIs you need to reduce risk.
ActZero's Managed Detection and Response service (MDR) can help bolster your defences, detecting suspicious behaviour coming from a compromised vendor as it happens. Our proprietary technology and dedicated Threat Hunters respond to attacks in real-time, so your exposure is minimized. We may even know your vendor is under attack before they do.
To learn more about how ActZero can help protect your business, reach out to us today.