Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks
By Ewen O’Brien – VP of Enterprise, EMEA at BitSight,
2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.
According to the AFP news agency, the world’s second largest aerospace and defence company has been targeted by four major cyber-attacks in the past 12 months, one of which resulted in a data breach. The hacks are being linked to a Chinese state-sponsored cyber threat group with a record of stealing intellectual property from aerospace manufacturers.
But what makes this series of attacks stand out among the daily glut of cyber incidents isn’t the motive or the persistent nature of the attacks. Rather, it’s the path by which the hackers attempted to gain access to Airbus’ systems – by targeting its third-party suppliers.
The growing third-party supply chain risk
This form of hacking via vendor networks, in this case Rolls Royce and Expleo, isn’t uncommon. Today, 59% of data breaches originate with third-party vendors. And, as globalisation brings more interconnected supply chains, that number is anticipated to grow.
Unfortunately, even with vigorous security controls in place to continuously monitor for threats, the vast majority of organisations struggle with supply chain risk management and remain vulnerable to third-party hacks and breaches.
A key challenge is that most companies don’t know how to implement third-party risk management (TPRM). The scope of the task is incredibly complex. IT and security teams can quickly become overwhelmed trying to ascertain a vendor or partner’s security posture and potential risk exposure of that business relationship.
Evaluating vendor risk with security ratings
One way to evaluate vendor security is through third-party IT cybersecurity risk questionnaires. These can help organisations identify potential weaknesses among vendors and partners that could result in a breach.
The trouble is, these questionnaires only offer a snapshot of a vendor’s cybersecurity posture. Nothing in business is static. A vendor’s systems may change or be outsourced, their security policies might be re-written, and new threats continually evolve, so the risk presented by a single vendor is constantly shifting.
A more effective way of exposing risk in your supply chain – quickly and without complexity – is to add security ratings to your TPRM programme.
While security ratings don’t directly monitor vendor systems, they do show how seriously a vendor takes security by exposing risk vectors such as open or non-secure ports, unpatched systems, malware infections, and publicly-disclosed breaches – all of which indicate serious security liabilities – in minutes or hours, not weeks. And, because vendors are scored with a rating, much like a credit score, it’s easier to communicate the scale and severity of risk to a non-technical audience in the C-Suite, on the Board, or even with the vendor in question.
Make cyber risk a vendor KPI
As the Airbus hacks show, European companies can ill afford to ignore risk in their supply chains. In addition to the reputational risk, GDPR regulators are enforcing steep penalties for corporate cyber breaches making the stakes of a data breach too high.
Continuous monitoring of your organisation’s own systems may be enough to hold off a cyber-attack, but it’s also imperative that everyone involved in risk management – the Board, the C-suite, legal counsel, procurement teams, and the security operations centre – understand the level of risk across the entire supply chain and select vendors based on their security vigor.
With this in mind, each time you enter a new vendor agreement, prioritise cybersecurity as one of the KPIs you look at and continuously monitor – for the life of that relationship.