Introduction:
In today's digital age, it's no secret that small, medium and enterprise businesses alike, rely on suppliers and partners to keep their operations running smoothly. But these suppliers all bring unexpected risks and cybersecurity challenges. This guide explores the threat, how to assess it, plan and protect your organisation from cyber security risks within the supply chain.
Watch the BSi’s Matt Goodbun talk about supply chain risks and how to overcome them
‘So what’ if my suppliers get hacked?
While suppliers can be a real asset to your business, they can also pose some unintentional cybersecurity risks. Imagine this scenario: your supplier, the one you've trusted with your protected information like passwords, bank details, and addresses, gets hacked.
The hackers now have your credentials having breached your supplier's security.
It's not just about losing your data, more importantly, they now have the keys to your castle, your network, your business and more! Keep reading …
Neglect your supply chain at your own risk
Despite grave risks, many firms neglect supply chain security. Shockingly, the 2023 Security Breaches Survey reveals few UK businesses set security standards for suppliers. With high-profile attacks demonstrating attackers' intent and capability, this escalating trend demands immediate action.
Understanding the scale, the threats and supply chain risk
12 - 1000s
No. of suppliers you have
The number of suppliers an organisation has can vary widely based on its size, industry, and business model. However, SMB’s generally have anywhere between twelve to a hundred suppliers, while large enterprises operating globally often have thousands.
Every supplier presents a potential route in to compromise your business. Therefore, large or small, your organisation has some significant risks. Equally, as a supplier yourself with customers, whatever they look like, you need to consider your risk to your customers.
Phishing Attacks pose a persistent danger, with malevolent actors exploiting human vulnerabilities through deceptive emails and social engineering.
Malware Injection looms large, as attackers seek to compromise software and systems within the supply chain. Additionally, the growing trend of Insider Threats necessitates a critical examination of internal security measures. Vigilance against these multifaceted threats demands a holistic cybersecurity approach, where risk assessment, robust vendor evaluations, and the fortification of digital supply chain links become integral components of a resilient defence strategy.
Common risks
The threat is constantly evolving, especially with the dawning of Ai tools and software kits available and being used by hackers via the dark web. However, there are four clearly defined routes where risk is high:
Third party software providers
Third party softwares are compromised and malicious actors use that software you have deployed on your network, to compromise your organisation/data. Examples include Solarwinds, Dragonfly
Website builders
Software platforms used by organisations to run and manage their websites are compromised using various techniques including; XSS, SQL Injection, DoS, CSRF, Phishing, Social Engineering, File inclusion. Examples include Shylock
Third party data storage
Your 3rd party data storage provider is compromised, often through a backdoor route
Watering hole attacks
Vulnerability exploited in websites used by large volumes of users, perhaps even entire sectors, ultimately enabling the attacker to gain remote access to the target’s system.
Real world examples to consider
Watch Exclusive Solarwinds CISO interview; Hacker’s target Solarwinds to access thousands of enterprises
Assessment and preparedness; 3 critical streams
OK, so you get it, your supply chain presents a not so insignificant risk to your organisation. To be confident that your supply chain is secure there are four commonly recognised areas of practice you need to adopt.
1. Establish the risks
To gain confidence or assurance that mitigations are in place for vulnerabilities associated with working with suppliers, you firstly need to understand what needs to be protected and why, know your suppliers and understand the risks they pose.
Where do you start?
Supply chain mapping (SCM) is the process of recording, storing and using information gathered from suppliers who are involved in your supply chain. The goal is to get a current view of suppliers, so that due diligence can be undertaken and cyber risks managed effectively.
How to: supply chain mapping
Given the complexities of the supply chain, this can be a considerable undertaking. However, on balance the risk presented versus the impact of a breach via your supply chain quite definitely outweighs the time it takes to undertake this activity. It is an essential step to managing supply chain cyber security risk and the steps you need to take to protect and defend your organisation.
-
Create an inventory file that can be used to collect supplier information in a consistent manner in a centralised secure repository
-
Record the following:
-
Who your suppliers are
-
What they provide, and the importance of the asset they provide
-
How they provide their product/service
-
How they are connected/interconnected
-
What information you share with each supplier, and whwther they share your information with any 3rd parties
-
Data and assurance officer within supplier
-
Date of suppliers last assurance assessment
-
Certifications held eg. Cyber Essentials, ISO etc
-
Don’t forget to look at sub-contractors too
-
Consider contract terms for suppliers and sub-contractors
2. Regain control
Make sure your suppliers are up to standard with your cybersecurity standards. Do they have Cyber Essentials or Cyber Essentials Plus certifications?
To that end, start by raising awareness of security within your supply chain – this can start with a simple communication stating your intentions and recognition that security is paramount.
This forms a precursor to communicating your view of security, and with it, stating what standards you demand of suppliers, then ask them to demonstrate to you evidentially that they meet the minimum standards you have set. The evidence they share should be reflected in your supply chain mapping file.
It is also worth engaging your senior management team to build security considerations into contracts, terms & conditions and enforce them as new suppliers are onboarded. Implement robust contract clauses mandating adherence to security standards, ensuring suppliers share your commitment. Of course, it goes without saying, your customers, whatever they look like, will be enforcing the same with you.
3. Build-in assurance activities by default
To fortify your supply chain against cyber threats, integrate assurance activities into your management approach.
Foster transparent communication channels with suppliers for swift issue resolution and consider cyber insurance to mitigate potential damages.
Strive for continuous assessment and monitoring, employing threat intelligence tools to stay ahead of evolving risks.
And lastly, invest in supplier education, if you can, to continually raise awareness about cybersecurity best practices and promote a shared responsibility for a secure supply chain.
4. Your own game plan
Above and beyond the usual best practice approaches to cyber security, there are a few small tricks to add specifically in relation to the supply chain, to help you defend and protect yourself from supply chain threats.
Whenever you're setting up accounts with suppliers, don't cut corners. Use unique and robust passwords; at least 12 characters, use at least one symbol and a number plus letters.
Make MFA your best friend, and ensure suppliers have Multi-Factor Authentication (MFA) set up for account access and/or specify that they switch it on for accessing shared platforms or systems to lock down unauthorised access.
Make sure you’re undertaking timely software and system patching, and where possible insist suppliers do the same to promptly address vulnerabilities to reduce risks.
Key take-aways
-
Get to know your suppliers in detail to establish a programme of risk management
-
Enforce security standards amongst your suppliers
-
Implement continuous good practices for assessment, monitoring and communication
-
Get your own house in order when onboarding suppliers
Further reading
Cyber Risk Report; identification and key learnings from gaps in your peers’ security posture
Unlock the power of Ai in Cybersecurity: A guide for IT managers in 2024