In Cybersecurity, Beware Single Points of Supply Chain Failure (SPOFs)
Some 15,000 car dealerships in the US are entering their big end-of-month sales period in a crippled condition, unable to book sales, register new cars or do other routine online tasks to keep the cash flowing, all because a critical suite of software products from CDK Global has been knocked offline by a ransom attack.
CDK specializes in software services for the automotive industry and judging by the effects of this attack, has been a go-to vendor for dealerships, a small cog that makes a large industry go round – much like ION, the financial trading services company that few people had heard of till the Lockbit gang seized it in early 2023 and knocked out the exchange traded derivatives business of the world’s largest financial firms.
Call them the single points of failure (SPOFs) of the software supply chain; the firms may be small or large in size, it’s their outsize impact on business operations that counts.
We’ve seen plenty of these SPOFs go down in recent times (such as file transfer services, cloud storage, IT system management). Now, there’s a growing realization that cyber defenders need to adjust their outlook on third party risk as a result.
One sign: As a result of the UnitedHealth/Change Healthcare attack and outage that disrupted payment systems for medical offices and pharmacies across the US in 2024, the US Dept. of Health and Human services is mapping the risks generated by single points of failure in the healthcare industry. Change Healthcare handles around 44% of all funds processed in the country’s healthcare system, according to the American Hospital Association.
The Wall Street Journal reports that HHS is considering several systemic changes, such as easing contract terms to somehow allow healthcare services to negotiate standby contracts with backup supply chain partners.
Don’t wait for a systemic fix. The time to rethink your SPOFs vulnerability is now.
FAIR Third Party Assessment Model (FAIR-TAM): Rethinking Third Party Risk Management (TPRM)
TPRM has struggled with outmoded techniques and thinking at the same time that large organizations have grown their third party relationships by the hundreds. Examples: outside-in scans that are more signals than noise…or manual questionnaires that are out of touch with a dynamic environment…or trying to prioritize among vendors based on dollar amount of contract.
A working group of FAIR Institute Members is rethinking TPRM and developing a new model, FAIR-TAM, to understand software supply chain risk.
Some key principles that have emerged:
Identify your SPOFs, reorient your 3rd party risk management program. A first principle of FAIR-TAM: Tier your third parties based on a quantified view of the risk they pose to your data, network and revenue exposure and target risk management accordingly.
Treat your third parties like your attack surface. Apply Zero Trust principles to TPRM. Assess first- and third-party risk and controls together as one continuum. Use FAIR-CAM, the FAIR Controls Analytics Model, to gauge the strength of your controls. Partner with supply chain vendors to improve their controls.
Up your game. Get inside-out, real-time telemetry from the environments of your most critical vendors. Outside-in scans just aren’t sufficient. Automate wherever you can –use LLMs to process questionnaires.
Watch this space…The FAIR Institute continues its work on third party and SPOFs risk management!
Learn more about the FAIR approach to Third Party Risk Management.
