Myst - stock.adobe.com

How can MSPs minimise the risk of supply chain attacks?

Jaime Arze, manager II of third-party risk at Datto, shares some thoughts on how managed service providers can avoid becoming the weak links in the supply chain

This article can also be found in the Premium Editorial Download: MicroScope: MicroScope: The green agenda

Supply chain attacks such as SolarWinds and Log4j have been in the headlines a lot recently, but how big is the risk to managed service providers (MSPs) and their customers?

We are seeing a new era of supply chain attacks that affect large numbers of customers, directly or indirectly. The incidents that make the headlines are only the tip of the iceberg: there was a 650% surge in supply chain attacks in 2021 alone.

As the opportunity for making a profit has grown, cyber criminals have become more organised, now operating in company-like structures to maximise the financial return from their attacks. Put simply, the reason supply chain attacks are so profitable for the cyber crime industry is because they target weaknesses that can propagate one single attack to hundreds and thousands of victims at once.

Piggybacking on established supplier relationships to deliver malware to their customers is a strategy now sought out by the majority of cyber crime organisations – and it clearly works for them, as statistics show that over 95% of companies have already been directly or indirectly affected by a supply chain cyber security incident. Small and medium-sized enterprises (SMEs) are particularly vulnerable as they tend to sit near the bottom of the supply chain and often don’t have the expertise or bandwidth to put in place appropriate defences.

This also means MSPs that serve those companies are at risk of becoming potential targets. Since the services they provide are so essential to their clients’ environments and there is so much trust involved in the relationship, compromising an MSP would have a huge impact on its customers. And even if an attack is not directed at the MSP itself, but at a software vendor, for example, the MSP could still be part of the pipeline that propagates third-party and fourth-party exposure all the way down to the SME community

Steps to take

As an MSP, how should you react to this growing threat? What steps can you take to reduce the twofold risk of becoming a victim of an attack and passing malware down to your customers?

Supply chain attacks exploit the trust organisations have put in their suppliers and, because of their very nature, standard security and cyber hygiene measures cannot reliably stop them. If, for example, a patching server is compromised, then the MSP is essentially helping to install malware on its clients’ systems because the hacker can leverage the established and trusted connection that is already there. Security tools installed in the end client’s environment have practically no way of preventing this.

So rather than relying solely on the standard security measures for protecting endpoints and networks, which may fail, it could be beneficial to minimise exposure and create a high level of transparency and accountability across both vendor and customer relationships. MSPs have to, first and foremost, protect themselves to protect their clients.

The starting point should be a full audit of your IT environment, because you can’t protect what you can’t see. You need to know all the software and hardware that exists within your environment, all the cloud services that are used, and all the vendors and partners your business – and your clients – interact with.

It’s also important to understand how deep these interactions are. For example, what type of data is this vendor handling, do they have read/write access to your environment, and how integrated are they into your core systems?

Any partnerships that aren’t critical to the business or are redundant should be reviewed and where necessary, ceased to reduce the attack surface. Tier the remaining supplier relationships by how critical they are and how much damage an attack on one of those suppliers could do to your own organisation, as well as your clients’.

When you have done that, sit down with your key suppliers to have that all-important security conversation. Be specific – and don’t be afraid of asking uncomfortable questions. Focus on what is important to your business, agree on a concrete plan of action where weak points need to be addressed and always demand proper outcomes.

Questions to ask

When it comes to understanding the risks in your supply chain, what questions should MSPs ask their vendors?

The questions you ask during a vendor assessment should primarily be aimed at understanding what potential risks your partnership could expose you to over time. Each vendor in your portfolio must, as a minimum, be able to explain how they protect themselves and their customers, how they restrict and control access and what mechanisms they are using to encrypt your data.

What are they doing to safeguard the confidentiality, integrity and availability of your and your clients’ data? What is their business continuity and disaster recovery strategy? Do they have effective employee training in place, as well as an information security programme that allows them to respond to ever-changing threats?

To help MSPs with these conversations, Datto has created a vendor assessment worksheet that is available to download. It guides MSPs through mapping the key topics of interest to specific security domains and identifying which vendor types they are applicable to, so they can assess their third-party risk more easily.

Remember to measure your vendors in a way that mirrors your organisation’s internal requirements and establish a way to hold them accountable. Important points such as incident response, data retrieval, data ownership and rights to an assessment should all be agreed as part of your contract. Ask to see any independent audits of the vendor’s security performance too.

Last but not least, managing vendors is an ongoing process. The initial assessment is only the starting point. Follow up on the findings and insist that your partner’s security programme keeps moving forward. Above all, keep relationships transparent. The level of diligence, security expectations and accountability should grow as vendor relationships deepen. Expecting quality security outcomes from your suppliers will ultimately help protect your clients too – after all, your clients expect the same from you.

Read more about supply chain attacks

Read more on Managed IT Services