The massive October 21st distributed denial of service (DDoS) attack on Dyn, a prominent Domain Name Server (DNS) provider, resulted in many US websites going offline. The attack was very sophisticated and precisely targeted. While no customer data was breached in this event, it was still extremely impactful on the effected organizations. When the DNS provider went offline, more than 100 popular websites, such as Reddit, Twitter, Box, Spotify, PayPal, Squarespace and Amazon Web Services (AWS) were unavailable. While most of us could survive without Twitter – though barely – the unavailability of web hosting platforms such as AWS, Box and Squarespace most likely caused interruptions in numerous businesses.
As organizations continue to place a great deal of reliance on hosted solutions, there is now a cyber risk in the supply chain that must be identified and accounted for when considering an organization’s exposures and when developing/maturing the incident response plan or disaster recovery plan. What would you do if your network was down or a critical application was offline and you had no control over the recovery of that service?
Cyber risk in the supply chain comes in many forms and certainly goes well beyond Internet hosting vendors such as Dyn. Though, given the historic scale of the DDoS attack on DYN, the focus of today’s blog is on these types of vendors. Internet providers suffer from damaged equipment, downed lines and service outages, just like any other company. Cloud hosting providers may experience downtime due to Internet outages, DDoS attacks, data corruption or loss/theft of equipment. Not to mention, any business’s network is also susceptible to a data breach, which often comes with extended downtime.
Managing hosted vendor cyber risk in the supply chain isn’t very different from the traditional approach:
Identify the critical vendors – These are vendors who provide your organization with Internet connectivity, hosted servers, hosted applications, etc.; those whose unavailability or breach may have an impact on operations or negatively affect revenue.
Understand the vendor’s level of security sophistication – Hopefully, this is done during the due diligence process, but you should work to understand the security level and procedures of the vendor. Also, inquire about their incident response and disaster recovery plans so you can build in their response to your own plans. With some digging, you may find that the security or recovery planning of a vendor is not up to your organization’s standards or risk appetite.
Review vendor contracts closely – Contracts with vendors should be crafted carefully. Provision language for security requirements, indemnity and insurance requirements should be included in RFPs and all vendor contracts. Also, once those contracts are in place there should be a system implemented to audit how the vendors are remaining compliant.
Plan for the worst – While it’s not always a possibility and would require a good deal of planning, organizations should consider alternatives to their critical hardware/software vendors. If a vendor hosting your critical business application suffered a massive breach and was not able to recover, what would you do? Planning for that event ahead of time could save a great deal of time and money if the event does occur.
Cyber risk in the supply chain may be more impactful to your organization than you’ve considered. Click here to request more information about The ALS Group or if you need assistance identifying or mitigating your supply chain risk.