Insights from category creators and the investors who believe in them.

Not Breaking the Supply Chain

November 13, 2018
By Oren Yunger

The cybersecurity trends to watch next: Not Breaking the Supply Chain

Welcome to the second installment of my VC diaries. As a reminder, in this series I cover technology trends I find promising. In this episode, I will discuss supply chain security and share my thoughts on why I believe this area is worth exploring.

In today’s environment, companies thrive by moving fast and specializing. To remain focused on their primary business, companies leverage third party vendors to enhance competencies and solve non-core problems. In fact, the use of suppliers has increased so dramatically that only about a third of companies know the exact number of vendors accessing their IT systems.[i]

While third party vendors augment the company’s capabilities, they also open the door to a variety of potential vulnerabilities that attackers can exploit to defeat the company’s security posture. It is no surprise that leveraging trusted channels is an especially attractive way for cyber criminals to infiltrate well-protected organizations.

While there have been many supply chain security breaches in recent years, here are a few high-profile ones that demonstrate the impact of third party related security incidents:

· The Verizon breach, which involved six million customer records, was caused by misconfiguration of Nice Systems, a provider of customer service analytics

· A breach to customer engagement provider [24]7.ai exposed hundreds of thousands credit card details of Sears, Delta Airlines, Best Buy, and Kmart customers

· Criminals breached Target and stole 110 million credit card records after hacking to the company’s HVAC vendor, Fazio Mechanical Services

· Even the renowned Stuxnet malware attack on Iranian nuclear facilities supposedly made its way through vendor relationships

While those are meaningful breaches, it is important to note that today, the same breaches could have caused even larger negative impact with hefty fines stemming from regulations such as GDPR.

Security teams are aware of the threats originating from third party engagements. To tackle the problem, the teams have built processes, questionnaires, technological requirements, and legal baselines to limit the company’s exposure to devastating third party related breaches. All at the same time, companies move in a speedy pace on the pursuit of innovation and growth, onboarding more and more vendors to enhance their business offering. These conflicting views created an ongoing clash between the business units and the security teams in the organization on vetting of third party engagements.

The good news is that in recent years, security vetting has been dramatically improved by companies such as BitSight, a GGV portfolio company, which has built an automatic scanning mechanism to produce a vendor risk profile / security rating system. BitSight’s score is then used to approve, reject, or ask for remediation from the vendor. BitSight and a few other players in the category are tremendously valuable in reducing the pains of manual processes when evaluating a third party vendor’s security posture. I believe there is also an opportunity to complement ratings by providing active protection against third party cyber security breaches. Providing such active protection would not be an easy feat — Verizon 2018 Data Breach Report shows that 68% of security breaches take months or longer to discover and Symantec 2018 Internet Security Report confirms that supply chain attacks are especially difficult to protect against.

Moreover, as supply chain attacks are getting more widespread and growing in frequency and sophistication, there is in need for additional steps after assessing a vendor’s security score and riskiness level to the organization. The vendor’s access needs to be implemented in a way that is as least hazardous to the company, if things were to go wrong. With the global shortage of security professionals[ii], we cannot expect security architects to design a “safe” implementation for every vendor integration, or hope that security analysts will pick up a critical third-party related breach from the alerts flooding in. It is essential to utilize technologies to extend the company’s security capabilities beyond its core employees and infrastructure.

Active third party security protection mechanisms will not only enhance companies’ security posture, but also speed up security vetting process as security teams could isolate “risky” vendors to sterile environments of the business, requiring fewer efforts from the company as well as the vendor.

There are many interesting innovations that help extend companies’ security capabilities to actively protect against third party breaches. Here are a few categories that show promise:

Websites, mobile apps, and API protection — a new class of startups focuses on detecting and blocking unauthorized actions taken by third party scripts and SDKs integrated into the website/app. In addition, some start-ups allow companies to manage, control, and monitor API calls coming from different third party application services.

Zero trust providers — such technology providers allow IT and security teams to restrict third party access to specific applications in hybrid cloud environments. They can also audit and disable contractors from executing sensitive operations.

Run-time encryption — some emerging technologies utilize memory encryption to prevent unauthorized actors with infrastructure access from reading or changing application data.

There’s an inevitable understanding in the market that external suppliers are part of the modern company and pose a real threat. In fact, Gartner estimates that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a board-level initiative. On my end, I trust that third party security is a large, growing category that has a meaningful bottom-line impact on companies. With the growing understanding of potential third party threats and the readiness of the market, I am excited to explore more innovations in this field.

Please reach out to me if you have a startup in this field, have similar interests or believe I should be looking at this problem differently!

PS — feel free to check out my previous episode on Passwordless future

[i] https://www.csoonline.com/article/3055012/techology-business/only-a-third-of-companies-know-how-many-vendors-access-their-systems.html

[ii] https://www.forbes.com/sites/forbestechcouncil/2018/08/09/the-cybersecurity-talent-gap-is-an-industry-crisis/