Organizations are at risk of an attack on one of their vendors that may impact their day-to-day operations. Citing a recent major breach in the information technology industry as an example, it’s clear that by using ransomware hackers, malicious actors can assault operations, ultimately affecting any organizations that use the IT Management Software. The attack affected roughly 1,500 customers and showcased that if you do not have a supply chain resistant to ransomware, you could be leaving your organization open to risk.  

Learn more through our webinar: Supply Chain Attacks: The Rise of Ransomware and How to Reduce Your Risk 

Ransomware Popularity and The Third-Party Risk Impact  

As the new trend in ransomware attacks against critical infrastructure rises, companies across the globe are looking to improve their supply chain visibility and overall security processes. Bad actors are targeting countries’ essential goods and services (e.g., the recent major attack on the oil and gas industry) because their criticality to daily life creates a more urgent requirement to pay the ransom, showcasing supply chain vulnerabilities for both corporations and governments.   

While ransomware is becoming increasingly common, it’s also happening on a larger scale. The cases we’re seeing are increasing in success, and as more attacks gain the attention of the media, hackers are realizing that they can extort companies with a large customer base to maximize the impact of their attacks. This, paired with the scale of many organizations’ vendor ecosystems, poses an enormous emphasis on preventing supply chain attacks through third-party risk management.   

Third-Party Risk Management Can Identify Risky Vendors 

Organizations must ensure the suppliers they work with have suitable measures in place to both prevent ransomware and respond quickly if they fall victim to an attack. This is done by implementing a third-party risk management program operationalized to provide visibility into potential risks, enabling teams to prepare for a potential attack. For example, a third party who cannot provide evidence of a strong security program with appropriate policies and controls may be more susceptible to a ransomware attack.

Organizations should consider the level of risk of a supplier going offline for an extended period as a result of the recent increase in ransomware activity. Can your organization survive if a key supplier or partner is taken offline? Or, do you need additional redundancy or secondary processes to get the organization through such an event? 

The Third-Party Risk Management Lifecycle and Supply Chain Risk  

The third-party risk management lifecycle is how a vendor relationship progresses over time. Understanding this lifecycle is the first step to implementing a program that will enable your team to prepare for and prevent ransomware attacks. Here are the stages of the cycle to focus on to gain insight into your third parties and the risks that they pose:  

  1. Third-party identification   
  2. Evaluation & selection   
  3. Risk assessment   
  4. Risk mitigation   
  5. Contracting and procurement   
  6. Reporting and recordkeeping   
  7. Ongoing monitoring   
  8. Vendor offboarding  

Each of the above steps is critical to empowering your team to find potential supply chain gaps, allowing them to address them head-on or put a plan in place in the event an attack occurs due to the gap in question.  

Don’t forget to assess the maturity of your 4th parties. If the risk management stops at the first link in the supply chain, then the overall risk of an event can still be high. You want to ensure that your vendors are assessing their vendors and the risk of downstream issues as they will impact your organization.  

How Can OneTrust Help?  

The OneTrust platform leverages expertise in third-party risk managementprivacyGRC, and many other categories to deliver an immersive third-party risk management experience. We enable you to gain visibility into all aspects of your organization’s security structure by building your TPRM program from the ground up, giving you a vendor inventory and enabling your team to link vendors to their data maps and business processes, ultimately allowing you to understand data flow entirely.   

Specifically, you can build a more secure supply chain by assessing a supplier’s ability to prevent and respond to ransomware while also understanding where key weaknesses and threats exist to prioritize risk mitigation and work with vendors you trust. 


Next steps on supply chain attacks:  

Watch the webinar: Supply Chain Attacks: The Rise of Ransomware and How to Reduce Your Risk 

Watch the webinar: Ransomware Hacks: Are Your Vendors Vulnerable? 


Further reading: 

Blog: What is Third-Party Risk Management? 

Blog: Understanding Third-Party Risk: The Most Common Risk Categories 

Blog: Automating the VRM Lifecycle: Practical Automation to Scale Your Vendor Risk Program 


Follow OneTrust on LinkedInTwitter, or YouTube for the latest on supply chain attacks.