Our world continues to become more interconnected. Global enterprises and organisations rely on trusted relationships, with their third-party suppliers providing services from payroll and maintenance, to marketing and software development. It is common for third parties to extend to fourth and fifth parties, making supply chains more complicated with many suppliers doing many different things. It is very likely your business has a plethora of third-party supplier and vendors.
This is simply how businesses operate today.
Your business has no doubt been through countless security audits and reviews, but how do you really know your suppliers have been through the same rigorous testing when it comes to cyber security? How do you know third-party cyber security risk is not being introduced into your supply chain?
What Is a Supply Chain Attack?
Cyber attackers are no longer just 'breaking the lock at the front door' – they are now using ways to access your systems through an external partner or third party who has access to your systems and data.
These sorts of attacks are gathering momentum and sophistication, causing large-scale operational disruption, loss of revenue and a significant damage to brand, reputation and customer trust.
If you are a small organisation, you could be one part in a large supply chain. You could, in fact, be the first target of a supply chain attack. Smaller enterprises provide the hacker with a foothold into the supply chain network, since they have weaker cyber controls. Following a period of reconnaissance and exploitation, cyber criminals will then gain access to entry points belonging to larger companies, which is usually the end goal.
Do I Really Need to Worry about Supply Chain Risks and Cyber Attacks?
2020 was an unprecedented year for supply chain cyber attacks with a huge increase in the number of data breaches as a result of third parties.
In a recent survey conducted by 6clicks, only 27% of senior-level executives understood the nature of supply chain security against their companies. Only 24% reviewed immediate supplier risks. And a little over one in ten (14%) have reviewed risks for the wider supply chain.
The need to act now is clear.
Some of the world's biggest cyber attacks are initiated as a result of a supply chain vulnerability. The December 2020 SolarWinds supply chain attack sent shockwaves around the world when hackers injected malicious code into the company’s Orion software system. The malicious code was pushed out (as updates) to thousands of high-profile customers including the US Treasury, Government Departments and, Fortune 500 companies.
The incident has been a wake-up call for global businesses and also highlighted the devastating impact of supply chain attacks and the need to validate software suppliers, particularly those with software that has privileged access to information assets.
How Do You Secure Your Supply Chain?
Not only do you need to know how to secure your supply chain, but also what questions need to be asked as a leader to ensure the appropriate security measures are in place.
This is a hugely complex task that starts with raising awareness, building trusted relationships with your suppliers and having viability into your supply chain.
Here are 6 key points to start thinking about:
1) Put Supply Chain Security on the board agenda before it becomes the agenda
Not having the awareness of supply chain attacks in 2021 (and beyond) is no longer acceptable. Board members, executive leadership teams and senior staff must have basic awareness of cyber security risks. So include supply chain security as an item on the boardroom agenda.
2) Use a tiered approach to answer the vital question 'Who has our Data'?
Map out your supply chain (including your software supply chain) to identify which suppliers have your most critical data and pose the greatest risk.
One company I consulted with did this by creating a supply chain scoring system where highly critical and sensitive data exchanged with a supplier would be scored as a ‘tier 1’ supplier. The next category of data sensitivity would be a ‘tier 2’ supplier and so on. Each tiered supplier would then be subject to a security audit. Suppliers in lower tiers had different levels of reviews compared with those in higher-tiered suppliers.
3) How secure are our suppliers?
Conduct rigorous third-party assessments, particularly with your high-risk/tier suppliers. This will enable you to gain the necessary security assurance while also providing an important opportunity to evaluate your suppliers' security and privacy policies.
There are no shortage of supplier third party security questionnaires. Some example questions to ask your suppliers include:
- How do our suppliers train their staff on cyber security?
- What are their security policies in relation to joiners, movers and leavers?
- Does the supplier have a robust cyber incident response process and when was it last tested?
- How are we vetting our software vendors to ensure they are producing secure code aligned to a recognised methodology?
- What processes do our suppliers use for data back-up? How often is the process tested?
- Are our suppliers maintaining security software and patches to their latest releases?
4) Review access control mechanisms.
Nearly all third-party relationships involve some form of data access and exchange but this must be done with the right controls in place so that risks can be mitigated. The more people who have access to data, the harder it becomes to control and mitigate threats. For each critical supplier you need to take the time to understand who has access to your data and what they are doing with that data.
So ask yourself, why do they need access to this data? How do access controls get reviewed and how are you limiting third-party access into your sensitive data environments? Where possible, segment your networks and consider zero-trust architectures to verify users.
5) Have we included security clauses and SLAs in our vendor contacts?
Security clauses and conditions should be clearly stipulated within supplier contracts. Examples include:
- the right to be notified of a breach within a certain amount of time
- identifying who maintains ownership of the shared data
- how data will be handled throughout the lifecycle of the contract
- actions to take in the event of a data breach.
6) Include the supply chain in your response and remediation plan
Identifying risks is just one part of securing your supply chain. There needs to be an established and coordinated approach to managing your supply chain environment, particularly in the event of a major security incident.
There should be a tested disaster recovery and risk communications plan so that if an incident does occur, your organisation has well-rehearsed protocols to manage your supply chain environment, reacting swiftly and effectively.
For more information about how 6clicks can support your Supply Chain Security Program, please visit us or book a demo below. We're here to help!