There's nothing more frustrating than when things feel out of control. Imagine your organization does everything right in terms of cybersecurity—employees are well-trained, systems are up to date, and strict protocols are in place. Yet, despite these precautions, you still face a breach—not directly through your own network, but through a vendor’s vendor—an entity that may have access to your sensitive information without your direct knowledge.
In this Q&A, Joseph Chaves, director of business risk services at CliftonLarsonAllen LLP, explains how housing providers can recognize and defend against supply chain threats, helping protect sensitive data even when the threat may be several layers removed.
HAI Group: Can you explain a supply chain compromise in the context of cybersecurity and how it can potentially impact public housing organizations that work with SaaS vendors?
Joseph Chaves: Supply chain compromise is a type of cyberattack where malicious actors attempt to breach the system of an upstream software provider, service retailer, distributor, or supplier to gain access to their downstream customer systems. This can affect any organization, especially those relying on third-party SaaS vendors or software to host confidential or sensitive information.
HAI Group: What are some common attack vectors that threat actors use to compromise supply chains, and can you provide examples of real-world incidents?
Joseph Chaves: Supply chain vendors are susceptible to the same cyberattacks that affect everyone else, including DDoS attacks, phishing attacks, and zero-day vulnerabilities. A recent and public example is the MOVEit zero-day vulnerability. MOVEit, a popular third-party Secure File Transport Protocol (SFTP) software, disclosed in May 2023 that it had a critical SQL injection vulnerability. This flaw allowed malicious actors to gain privileged access to the SQL database supporting the MOVEit application, allowing for potential ransomware attacks on systems using MOVEit.
HAI Group: How can supply chain compromises lead to data breaches or other security incidents in public housing organizations, and what are the potential consequences of such breaches?
Joseph Chaves: Supply chain attacks have existed for some time but recently gained attention due to incidents like the MOVEIT attack. Organizations should evaluate these attacks as part of their vendor risk assessments. The consequences of a supply chain compromise breach are similar to those of a direct cyberattack on your own organization but with a critical difference: in a supply chain attack, your organization depends entirely on the third party's ability to identify, quarantine, and resolve the incident.
HAI Group: What role does vendor management play in mitigating supply chain compromise risks for public housing organizations, and what key practices should they adopt to strengthen their cybersecurity posture?
Joseph Chaves: Vendor management is the key mitigating factor for supply chain attacks. Using third parties doesn't mean passing the liability—it's still your organization's data and, therefore, your responsibility to manage and monitor the vendor relationship for service quality and data security. CLA typically advises organizations to collect information on third parties annually through security questionnaires, which can provide insights into a third party's information security program. Key questions to include are:
- Does your organization undergo independent third-party attestation (e.g., SOC 1, SOC 2, PCI, HITRUST, or ISO 27001)?
- Does your organization use subservice providers like AWS, Azure, or ADP?
- What software is used for data transmission, storage, and processing?
HAI Group: Can you share best practices for assessing the cybersecurity readiness of vendors and third-party suppliers before engaging with them in the supply chain?
Joseph Chaves: Direct evaluations of vendor environments can be challenging with prominent third parties, but smaller organizations with less independent oversight may permit this. You could request recent penetration test reports, vulnerability scans, or system configurations. Although vendors may resist, organizations can leverage these requests during the RFP process to include audit stipulations in the vendor SLA. It's also crucial to note the vendor's cyber insurance coverage and their protocol for ransom payments, as your organization won't control whether or when the ransom is paid.
HAI Group: What are some critical components of a robust vendor risk management program that public housing organizations should implement to safeguard against supply chain compromises?
Joseph Chaves: Developing a detailed questionnaire identifying sub-service organizations, software, and independent attestations is a good starting point. Annual reevaluations of each vendor relationship are also important to keep risk assessments current.
HAI Group: In the event of a supply chain compromise, what steps should public housing organizations take to detect and respond to the breach effectively, and how can vendor management aid in this process?
Joseph Chaves: It is crucial to monitor cybersecurity advisories and alerts from reliable sources like the Cybersecurity & Infrastructure Security Agency (CISA). Combined with an effective vendor management program, this monitoring can provide the intel needed to assess whether an exploit affects your organization and its data.
HAI Group: Could you provide examples of successful case studies where effective vendor management prevented or mitigated supply chain compromises?
Joseph Chaves: CLA had a client who was not using the MOVEit application but was tracking advisories on the exploit. As part of their vendor management process, the client collected responses from all vendors handling data transfers to check for potential downstream compromise risks. They discovered one vendor used MOVEit, but because the data transmitted was publicly classified, the risk of vulnerability was minimal for our client.
HAI Group: Given the evolving nature of cybersecurity threats, how can public housing organizations stay proactive in managing supply chain risks and continuously improve their vendor management practices to address emerging threats and vulnerabilities?
Joseph Chaves: Continuous evaluation of current and future vendor relationships is essential. Key actions include:
- Robust contract management: Regularly review contracts for service, monitoring, security, and any changes in the vendor relationship.
- Active monitoring: Track vendor performance metrics and security advisories that could impact them or downstream vendors.
- Effective communication: Maintain open, honest relationships with vendors to ensure swift incident resolution.
- Risk management: Identify threats associated with each vendor relationship and document the processes to mitigate them.
- Compliance: Verify that vendors comply with relevant laws, regulations, and independent attestations.
Bottom line: Supply chain compromises are an increasingly serious threat, especially for public and affordable housing providers who work with third-party vendors. By implementing robust vendor management practices and maintaining vigilance on potential risks, housing providers can build resilience against these indirect cyber threats.
Quick Guide: Defending Housing Organizations Against Supply Chain Cybersecurity Threats
These steps can help build a more secure, resilient system against supply chain cyber threats, keeping your data and residents’ information safer.
Strengthen Vendor Oversight
- Review vendor security each year: Ask vendors to fill out a security questionnaire annually. Include questions like:
- Have they had a recent security review, such as SOC 1, SOC 2, or ISO 27001?
- Do they use other providers to store or process your data?
- What software do they use to manage and transfer data?
- Check for regulatory compliance: Ensure vendors meet all necessary security and privacy regulations.
Assess Vendors’ Cyber Preparedness Before Hiring
- Ask for proof of cybersecurity measures: For smaller vendors, request reports showing they’ve tested their security, such as penetration tests or vulnerability scans.
- Include security in vendor contracts: When signing new contracts, add clauses allowing you to review or audit the vendor’s security.
- Verify cyber insurance: Confirm that vendors have cyber insurance, which can help if there’s a data breach.
Monitor Cyber Risks and Vendor Performance
- Identify potential risks from each vendor: Document specific cyber risks associated with each vendor.
- Keep your risk assessments current: Reevaluate each vendor relationship annually to stay updated on new risks.
Prepare for a Quick Response if an Issue Arises
- Stay updated on cybersecurity alerts: Follow alerts from trusted sources, such as the Cybersecurity and Infrastructure Security Agency, to stay informed about potential issues.
- Create response plans with vendors: Coordinate with vendors on how they will notify you of potential risks and their response plans.
Communicate Clearly With Vendors
- Be transparent about expectations: Set clear expectations with vendors about how quickly you expect notification of incidents.
- Ensure they prioritize your data’s security: Confirm that vendors understand the importance of timely updates and resolutions for any security concerns.
Regularly Review Contracts and Security Needs
- Update contracts to match changing needs: As your services or the vendor’s services evolve, ensure contracts reflect any new security needs.
- Revisit security commitments in agreements: Ensure service agreements specify security responsibilities for all data handling.
This article is for general information only. HAI Group makes no representation or warranty about the accuracy or applicability of this information for any particular use or circumstance. Your use of this information is at your own discretion and risk. HAI Group and any author or contributor identified herein assume no responsibility for your use of this information. You should consult with your attorney or subject matter advisor before adopting any risk management strategy or policy.