Small and medium-sized businesses (SMBs) are fighting an uphill battle when it comes to defending their security environments against malicious cybercrime. From email-borne BEC attacks to AI-powered social engineering campaigns, they face the same or higher volume of sophisticated cyber threats as larger organizations — except with far fewer tools, funding, and security expertise to leverage. This gap in resources often results in a failure to implement essential security practices, software updates, audits, and awareness training at scale.
For SMBs, one breach that compromises the larger entities of their supply chain is enough to jeopardize business-critical revenue streams during our current economic downturn. It isn’t just an IT problem we’re talking about. Cyber risk is a fundamental business risk today more than ever, and an inability to defend themselves places their partners, suppliers, investors, employees, and customers at heightened risk as well.
This is why opportunistic advanced persistent threat (APT) groups are increasingly targeting SMB vendors to compromise the “bigger fish” of their supply chain ecosystems. Supply chain vulnerabilities allow threat actors to cast a wider net and inflict more damage with the same amount of manpower as traditional tactics, techniques, and procedures (TTPs). The average major supply chain attack goes unnoticed for 235 days, which is largely due to a lack of visibility across the supply chain ecosystem after an actor breaches a smaller third-party vendor. Consider it the path of least resistance — and the main reason why we’re seeing rapid upticks in supply chain threats.
MSPs in the spotlight
Among all SMBs, managed service providers (MSPs) are among the most targeted. Organizations often enlist regional MSPs to outsource and optimize various cloud technology services. MSPs provide an invaluable service of helping organizations find the right solutions that will work for their ecosystem. According to CISA data, SMB information and communications technology (ICT) providers represent more than 160,000 companies across the United States, connecting millions of households and businesses digitally every day. By compromising an ICT’s network, attackers can distribute malware to a customer base spanning several different sectors and supply chains.
In November 2022, members of the Five Eyes (FVEY) intelligence alliance – which includes the FBI, CISA, and NSA – issued a joint-advisory warning about an expected uptick in MSP-related attacks on the horizon
In July 2021, Kaseya VSA software, a cloud-based platform commonly used by MSPs to remotely manage IT environments, was leveraged to distribute REvil ransomware to thousands of organizations. This prompted the National Institute of Standards and Technology (NIST) to release its Defending Against Software Supply Chain Attacks report, which recommends having a robust cyber supply chain risk management (C-SCRM) approach in place. Per NIST’s framework, this approach should entail:
Integrating C-SCRM across the organization
Establishing a formal C-SCRM program
Knowing and managing critical components and suppliers
Understanding the organization’s supply chain
Closely collaborating with key suppliers
Including key suppliers in resilience and improvement activities
Assessing and monitoring security practices throughout the supplier relationship
Planning for the full lifecycle
The role of multi-layered integration
A C-SCRM approach can be valuable guidance for cybersecurity leaders, particularly for SMBs and MSPs lacking the resources to closely adhere to the NIST framework. But the framework can be flexible, so beyond having a C-SCRM approach in place, SMBs – and by extension, managed service providers – should also focus on tightening their resources gap to mitigate supply chain cyber risk, such as by approaching cybersecurity spending, implementation, and deployment with a multi-layered integration mindset.
Collaborating with security vendors who offer deep libraries of multi-layer integrations can enable SMBs to strengthen their defenses without dramatically increasing spending. This integration approach harnesses the power of foundational security functions performed by a variety of siloed (and expensive) tools — email security, network detection and response, data security, and endpoint security for example — into a singular and more cost-effective framework.
It generates a holistic lens of an organization’s hybrid attack surface, empowering understaffed security professionals to improve efficiency through cross-functional threat intelligence sharing, AI-powered workflows, and tool data consolidation for effectively defending high-value data assets. And by automating certain steps of protection, detection, response, and mitigation protocols, multi-layered security architectures streamline manual workflows that are contributing to high rates of human error and burnout across the cybersecurity sector.
With supply chain attacks an ongoing reality, now is the time for SMBs to think proactively about how to maximize the value of their security stack. Adopting and designing multi-layer integration frameworks that align with their unique risk profiles is the most effective way to do more with less across an accelerating threat landscape.