Third-Party Risk in the Supply Chain

For better or for worse, 2021 was the year of the supply chain. From countless headlines of the latest shortage to the blaring alarms after every major cyber-attack, the supply chain – and its weaknesses – were exploited regularly throughout the year.

James Thew Stock adobe com
James Thew/

For better or for worse, 2021 was the year of the supply chain. From countless headlines of the latest shortage to the blaring alarms after every major cyber-attack, the supply chain – and its weaknesses – were exploited regularly throughout the year.

But it’s not all doom and gloom. The constant reverberation of vulnerabilities in the supply chain helped create a renewed, heightened focus on improving cyber resilience and cyber hygiene.

While that keen focus has been much needed, there are still key cybersecurity challenges facing the supply chain. As organizations have become better at mitigating and preventing direct cybersecurity attacks, bad actors have also improved their strategies and redirected their energies to more indirect targets.

According to Accenture’s State of Cybersecurity report, indirect attacks against weak links in the supply chain now account for 40 percent of security breaches. And the weak links here are third parties. So, this begs the question: Are organizations still overlooking the most common denominator between 2021’s major breaches?

Third-party access presents vulnerabilities

The supply chain is made up of many diverse third-party populations including contractors, vendors, suppliers, partners, and non-human workers such as robotic process automation (RPA), internet of things (IoT) devices, bots, and service accounts, that often require access to an organization’s product and software design, intellectual property, or other sensitive information. 

In addition, to keep pace with digital transformation, many organizations are relying more on vendors and partners to support critical business functions. Subsequently, these organizations are unknowingly (or at least unwillingly) expanding their attack surface. These third-party identities can quickly transform from a competitive advantage into an Achilles heel if an organization lacks an adequate third-party identity and risk management strategy.

If we accept that providing access is now an inextricable part of business operations, we must also acknowledge that over-provisioning access generates significant risk and puts an organization in an undesirable state. The risks have the potential to compromise a number of supply chain-related processes including:

  • Software/product development
  • Procurement of raw materials
  • Production/product delivery
  • Software downloads and updates
  • Movement and storage of raw materials

As a result of organizations failing to ensure they have appropriate identity access and lifecycle strategies in place to reduce third-party risk, the door for attackers is frequently left unlocked and unguarded.

Measuring and managing third-party risk

In addition to unintentionally creating an open-door policy for bad actors, many organizations fail to accurately measure the security posture of their third parties before provisioning access. In a recent study by the Ponemon Institute, over half (51%) of respondents said their organizations are not assessing the security and privacy practices of all third parties before granting them access to sensitive and confidential information.

Organizations that take a more granular approach to identity and access management by assessing risk at the individual-identity level can effectively close the door on bad actors. Add in having proper systems for third-party identity lifecycle and risk in place, and organizations can strengthen their cybersecurity posture and mitigate risks in the supply chain — a win-win.

Now managing supply chain access isn’t without its challenges. Typical pain points can include:

  • Manual processes for onboarding/offboarding access
  • Duplicate identities and orphaned accounts
  • An incomplete inventory of human supply chain workers and customers 
  • An over-reliance on quarterly access reviews to identify access needs

While some identity programs attempt to alleviate these pain points through identity verification processes, most are not designed with third-party workers or non-human identities in mind. To address the dynamic access needs in large scale supply chains, modern identity programs must include an identity authority for third-party data and automated workflows. With improved transparency into third-party relationships via an identity authority, organizations are better suited to make well-informed decisions about provisioning, verifying, and deprovisioning supply chain access.

But the work doesn’t end there. Organizations should also look to implement stringent onboarding, risk modeling, and identity proofing processes before granting access to help build resilient and responsive supply chains devoid of access points for bad actors.

Stringent onboarding and lifecycle management

Organizations tend to have automated onboarding processes for their employees through their IT or HR departments. However, when it comes to third-party users, these same processes are often highly manual. When automation is absent from these processes, onboarding becomes incredibly time-consuming, costly, difficult to audit, and most importantly, error-prone — expanding the potential for additional risk associated with third-party users. With a purpose-built solution for third-party workers and non-human identities, onboarding and offboarding are automated through consistent, shared processes.

Identity risk modeling

To successfully implement the granular approach to third-party identity and access management mentioned above, organizations need to have an understanding of the number of non-employees, what level of access each identity has, and if they need it. According to a 2018 Ponemon Institute study, most organizations don’t even know their exact number of non-employees, and only one third of organizations had a list of all non-employees with which they share sensitive information.

With a comprehensive understanding of their third parties, organizations are in a position to more accurately assess risk and make access decisions based on that risk. By risk rating each individual non-employee, organizations can ensure that access is based on least privilege, meaning that users have the appropriate privileges to the necessary resources at a specific point in time, and that access is terminated in a timely manner when it is no longer required.

Identity proofing

Most organizations do not have well-defined business processes or solutions in place to manage an identity proofing program. If they do, chances are it’s highly manual and requires dedicated employees to proof each individual identity. As the number of third-party identities with access to facilities, data, and systems grows exponentially, it’s more important than ever for third parties to prove that they are in fact who they claim to be.

With proper identity-proofing practices and capabilities, organizations can easily and cost-effectively verify the identities of their users, support risk management initiatives and better protect critical assets.

As digital transformation rages on, it’s likely organizations will continue to grant third parties access to their sensitive, confidential systems and software. Whether or not those third parties are properly assessed, provisioned with the right level of access and managed throughout their life cycles is reliant on an organization’s approach to third-party identity and risk management.

Organizations can strengthen their cybersecurity posture by putting the proper systems in place to manage the identity lifecycle and risk of third-party workers with the same or greater diligence as their employees. Armed with a purpose-built identity solution that addresses the full complexities of a supply chain, organizations will have more transparency and control over their third-party populations.  As a result, they can make well-informed, risk-based decisions about access and terminating that access, ultimately reducing the risk of a third-party breach.