Today’s supply chains are often opaque and complex, compromising mass ecosystems of vendors, suppliers and partners connected by servers, web applications and the cloud. In turn, these organisations have their own suppliers, who also have their own suppliers and so on. Without sufficient control and visibility into this extensive ecosystem, organisations struggle to manage third-party cyber risks.
Recent high-profile security incidents like the Kaseya ransomware attack and the SolarWinds breach reinforce the security risks of today’s hyper-connected supply chains. In these instances, the attackers were able to infiltrate the infrastructure of much larger companies by exploiting security vulnerabilities in the networks of third-party software vendors.
These risks aren’t especially new either. The Target data breach in 2013 started as a supply chain attack, in which the attackers used a third party to gain access to Target’s systems – but the issue is growing. Carbon Black research on supply chain risks has highlighted a rise in island hopping attacks. This type of intrusion occurs when a malicious actor exploits a security vulnerability in a small business to move laterally to target its customers, suppliers or partners. The European Union’s report on supply chain attacks also expects four times more software supply chain attacks in 2021 than in 2020.
In this environment, it is no longer enough for organisations to focus on protecting their own infrastructure while trusting their suppliers to do the same. As physical and digital items become more connected and supply chains become more complex, fostering security in the digital supply chain is imperative.
Digital supply chain core principles
Below are four core principles that organisations should consider for improving the security and resilience of their digital supply chain. For more detailed advice, please read our guide on supply chain cyber security.
- Create a clear picture of your supply chain
Gaining control over supply chain cyber-risks starts with visibility. Organisations need to determine who their suppliers are, the value of the data they have access to, and sub-contractors and acquirers they work with. Because of the complexity of modern-day supply chains, it will take time and resources to build a complete picture of the extent of your supply chain.
- Establish a formal programme for supply chain cyber risk management
Supply chain cyber risk management is a complex undertaking that requires collaboration, planning and accountability. As NIST’s supply chain cyber risk management report advises, organisations should take a formal approach to this issue by creating a supply chain cyber risk management programme that establishes governance, policies and procedures, processes, and tools for supplier and partner relationships. Examples of such policies (which should be embedded in supplier contracts, where possible) include the ‘right to audit’ and even assurance via certifications of standards like Cyber Essentials Plus or ISO 27001.
The size and sector of your organisation will dictate the intricacies and depth of your programme. A smaller organisation, for example, may not need as many policies and procedures in place as a large multinational. The organisation should also ensure the programme is a cross-department collaboration that converges cybersecurity, physical security, supply chain and risk management functions.
- Review supplier criticality and take a risk-based approach
Once a formal programme has been put in place and risk tolerance levels established, organisations must then assess their suppliers – present and future – using risk measurement tools, starting with critical suppliers. For further information on risk measurement and assessment, please read Risk Guidance – First Drop and CPNI Operational Requirements.
Critical suppliers are those that either provide critical business services or who, if disrupted, would harm the organisation. In the latter instance, suppliers provide digital infrastructure or store/manage sensitive data. There are a number of tools available to determine critical suppliers, such as the CPNI Personnel Security Maturity Model. Here, a document classification policy will help, so organisations know which suppliers they share sensitive information with or can access sensitive information.
From there, the organisation can work with these suppliers to establish security requirements within their working contracts. In the case of new suppliers, organisations must ensure cybersecurity is considered from the outset. Security requirements should be included in the procurement process as a pre-requisite for a working relationship.
It is recommended to take supplier requirements on a case-by-case basis. The security requirements for a payroll software provider, for example, will be more stringent than an office supplies provider. Organisations should, therefore, set criteria based on the risks associated with each provider as opposed to taking a blanket approach – which could result in disproportionate requirements.
- Collaborate, assess and monitor supply chain relationships
NIST notes that mature organisations in this field have established close, ongoing relationships with their suppliers. They look to demystify the complexity of modern supply chains by coordinating and harmonising the security standards they use to reduce levels of risk.
As well as this, we recommend organisations consider their suppliers in their incident response planning activities. By involving critical suppliers in incident response, organisations can better test and plan for potential security incidents and improve resilience in the face of such events.
Lastly, it’s crucial to note that supplier assessments are point-in-time events. Organisations are constantly changing; a supplier that was deemed secure yesterday may no longer be today. This is why it is pivotal to ensure that supply chain cyber risk programmes are dynamic and ongoing. They should not stop after procurement but continue throughout the whole relationship life cycle. Monitoring practices include reviewing that cybersecurity requirements are being met, identifying areas for improvement, and regularly assessing supplier controls.
Supply chain cyber security is a growing concern, and industry bodies have been proactive in providing dedicated guidance on the topic. As well as our own guide on supply chain cyber security, we recommend organisations review NIST 800-161, NIST’s Key Practices in Cyber Supply Chain Risk Management and The UK National Cyber Security Centre’s 12 principles on supply chain security.
With the increasing interconnection of business, managing third-party suppliers is becoming a complex and sprawling issue, opening further avenues of risk. Limited resources and availability of adequate expertise around this subject are proving to be a key challenge. Call us for a no-obligation chat if you need support and direction in managing your third-party supply chain.