Our world continues to become more interconnected. Global enterprises and organisations rely on trusted relationships, with their third-party suppliers providing services from payroll and maintenance, to marketing and software development. It is common for third parties to extend to fourth and fifth parties, making supply chains more complicated with many suppliers doing many different things. It is very likely your business has a plethora of third-party suppliers and vendors.
This is simply how businesses operate today.
Your business has no doubt been through countless security audits and reviews, but how do you really know your suppliers have been through the same rigorous testing when it comes to cyber security? How do you know third-party cyber security risk is not being introduced into your supply chain?
Cyber attackers are no longer just 'breaking the lock at the front door' – they are now using ways to access your systems through an external partner or third party who has access to your systems and data.
These sorts of attacks are gathering momentum and sophistication, causing large-scale operational disruption, loss of revenue and significant damage to brand, reputation and customer trust.
If you are a small organisation, you could be one part of a large supply chain. You could, in fact, be the first target of a supply chain attack. Smaller enterprises provide the hacker with a foothold into the supply chain network, since they have weaker cyber controls. Following a period of reconnaissance and exploitation, cyber criminals will then gain access to entry points belonging to larger companies, which is usually the end goal.
2020 was an unprecedented year for supply chain cyber security with a huge increase in the number of data breaches as a result of third parties.
In a recent survey conducted by 6clicks, only 27% of senior-level executives understood the nature of supply chain security against their companies. Only 24% reviewed immediate supplier risks. And a little over one in ten (14%) have reviewed risks for the wider supply chain.
The need to act now is clear.
Some of the world's biggest cyber attacks are initiated as a result of weak supply chain cyber security. The December 2020 SolarWinds supply chain attack sent shockwaves around the world when hackers injected malicious code into the company’s Orion software system. The malicious code was pushed out (as updates) to thousands of high-profile customers including the US Treasury, Government Departments and, Fortune 500 companies.
The incident has been a wake-up call for global businesses and also highlighted the devastating impact of supply chain attacks and the need to validate software suppliers, particularly those with software that has privileged access to information assets.
Not only do you need to know how to secure your supply chain, but also what questions need to be asked as a leader to ensure the appropriate security measures are in place.
This is a hugely complex task that starts with raising awareness, building trusted relationships with your suppliers and having viability in your supply chain.
Here are 6 key points to start thinking about:
Not having the awareness of supply chain attacks in 2021 (and beyond) is no longer acceptable. Board members, executive leadership teams and senior staff must have a basic awareness of cyber security risks. So include supply chain cyber security as an item on the boardroom agenda.
Map out your supply chain (including your software supply chain) to identify which suppliers have your most critical data and pose the greatest risk.
One company I consulted with did this by creating a supply chain scoring system where highly critical and sensitive data exchanged with a supplier would be scored as a ‘tier 1’ supplier. The next category of data sensitivity would be a ‘tier 2’ supplier and so on. Each tiered supplier would then be subject to a security audit. Suppliers in lower tiers had different levels of reviews compared with those in higher-tiered suppliers.
Conduct rigorous third-party assessments, particularly with your high-risk/tier suppliers. This will enable you to gain the necessary security assurance while also providing an important opportunity to evaluate your suppliers' security and privacy policies.
There is no shortage of supplier third party security questionnaires. Some example questions to ask your suppliers include:
Nearly all third-party relationships involve some form of data access and exchange but this must be done with the right controls in place so that risks can be mitigated. The more people who have access to data, the harder it becomes to control and mitigate threats. For each critical supplier, you need to take the time to understand who has access to your data and what they are doing with that data.
So ask yourself, why do they need access to this data? How do access controls get reviewed and how are you limiting third-party access to your sensitive data environments? Where possible, segment your networks and consider zero-trust architectures to verify users.
Security clauses and conditions should be clearly stipulated within supplier contracts. Examples include:
Identifying risks is just one part of securing your supply chain. There needs to be an established and coordinated approach to managing your supply chain environment, particularly in the event of a major security incident.
There should be a tested disaster recovery and risk communications plan so that if an incident does occur, your organisation has well-rehearsed protocols to manage your supply chain environment, reacting swiftly and effectively.
Get started with 6clicks to manage supply chain cybersecurity with our AI-powered platform.