Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.

According to the AFP news agency, the world’s second largest aerospace and defense company has been targeted by four major cyber-attacks in the past 12 months, one of which resulted in a data breach. The hacks are being linked to a Chinese state-sponsored cyber threat group with a record of stealing intellectual property from aerospace manufacturers.

But what makes this series of attacks stand out among the daily glut of cyber incidents isn’t the motive or the persistent nature of the attacks. Rather, it’s the path by which the hackers attempted to gain access to Airbus’ systems – by targeting its third-party suppliers.

The growing third-party supply chain risk

This form of hacking via vendor networks, in this case Rolls Royce and Expleo, isn’t uncommon. Today, 59% of data breaches originate with third-party vendors. And, as globalization brings more interconnected supply chains, that number is anticipated to grow.

Unfortunately, even with vigorous security controls in place to continuously monitor for threats, the vast majority of organizations struggle with supply chain risk management and remain vulnerable to third-party hacks and breaches.

A key challenge is that most companies don’t know how to implement third-party risk management (TPRM). The scope of the task is incredibly complex. IT and security teams can quickly become overwhelmed trying to ascertain a vendor or partner’s security posture and potential risk exposure of that business relationship.

confident approach to third party risk whitepaper

Building new digital relationships with third parties increases risk exposure. But IT teams can reduce that risk through all stages of the vendor onboarding, monitoring, and reassessment lifecycle.

Evaluating vendor risk with security ratings

One way to evaluate vendor security is through third-party IT cybersecurity risk questionnaires. These can help organizations identify potential weaknesses among vendors and partners that could result in a breach.

The trouble is, these questionnaires only offer a snapshot of a vendor’s cybersecurity posture. Nothing in business is static. A vendor’s systems may change or be outsourced, their security policies might be re-written, and new threats continually evolve, so the risk presented by a single vendor is constantly shifting.

A more effective way of exposing risk in your supply chain – quickly and without complexity – is to add security ratings to your TPRM program.

While security ratings don’t directly monitor vendor systems, they do show how seriously a vendor takes security by exposing risk vectors such as open or non-secure ports, unpatched systems, malware infections, and publicly-disclosed breaches – all of which indicate serious security liabilities – in minutes or hours, not weeks. And, because vendors are scored with a rating, much like a credit score, it’s easier to communicate the scale and severity of risk to a non-technical audience in the C-Suite, on the Board, or even with the vendor in question.

Make cyber risk a vendor KPI

As the Airbus hacks show, European companies can ill afford to ignore risk in their supply chains. In addition to the reputational risk, GDPR regulators are enforcing steep penalties for corporate cyber breaches making the stakes of a data breach too high.

Continuous monitoring of your organization’s own systems may be enough to hold off a cyber-attack, but it’s also imperative that everyone involved in risk management – the Board, the C-suite, legal counsel, procurement teams, and the security operations center – understand the level of risk across the entire supply chain and select vendors based on their security vigor.

With this in mind, each time you enter a new vendor agreement, prioritize cybersecurity as one of the KPIs you look at and continuously monitor – for the life of that relationship.