Almost all businesses are up against the supply chain threat. In simple terms, this is the risk that an attacker could infiltrate your corporate system through an outside partner or a provider that has access to your networks, systems and data.
Securing your supply chain can be very difficult because security vulnerabilities can be introduced and exploited at any point in the wider supply chain, such as a third-party software supplier, or even a website that is frequently used by the target organisation. According to a Cyber Readiness Report by insurance provider Hiscox, in the past year 65% of organisations “experienced one or more cyber-attacks as a result of a weak link in their supply chain”.
What does supply chain risk look like?
There are many case studies that illustrate the dangers and potential consequences of a poorly secured supply chain. For example, the origin of the biggest global cyberattack to date-the NotPetya ransomware outbreak in 2017-originated from a trusted Ukrainian accounting software company that distributed an infected software update to its clients. The developers of that software had poor cyber security measures in place and-as a result of the thousands of customers who downloaded the ransomware-laden update-the attack led to the loss of hundreds of millions of pounds for businesses all around the world.
Determining which partners in your supply chain should have access to your own corporate systems is a key consideration, and this issue was highlighted by the high-profile breach of the Target Corporation in 2013. Although this example is now seven years old, it clearly demonstrates the severe consequences of not managing supplier access to a network.
Target, one of the USA’s largest retailers, was hacked when an attacker initially breached Target’s air conditioning supplier and found that this vendor had full access to Target’s corporate network. From there, the attackers were able to pivot through Target’s network to install malware on the Point of Sale systems in Target’s stores. The outcome was disastrous and not only was the CEO forced to resign, but 475 employees also lost their jobs and the total cost to Target for remediation and compensation is estimated to have been in the region of $300 million.
How do I secure my supply chain?
Understand your own assets
As a starting point, businesses should have an understanding of the risks to their own assets and identify what data needs to be protected and why. The next task is to establish who your suppliers are and understand what their security looks like and therefore what the security risk is. At a basic level, the process of assessing the level of risk from suppliers should include considerations of the criticality of each supplier (i.e. Do your core operations depend upon this supplier?). As demonstrated by the Target case study, You should also consider the supplier’s and contractor’s need or level of access to your corporate systems. They will need access to corporate networks for a variety of reasons, but it is very important to identify exactly what they require access to, and block access to everything else.
Communicate minimum security requirements
Another crucial action is to set and communicate your minimum security requirements for your suppliers. The level of assurance you will require from high, medium and low risk suppliers will likely differ, but in the case of smaller companies, you can certainly impose criteria such has a requirement to hold a Cyber Essentials certification or committing to regularly undertaking a penetration test. In the UK, Cyber Essentials and ISO 27001 are minimum requirements for doing business with a number of government and corporate organisations. Despite this, a government security breach survey from 2019 uncovered that only 18% of businesses require their suppliers to have any cyber security standard.
In the case of large-scale suppliers, it’s unlikely that you will be able to impose your own terms or perform additional assurances yourselves such as an onsite security audit or completing a security questionnaire. However, many of these organisations will already publish information around their security controls and certifications. In these cases, you’ll probably be accepting the risk, with the understanding that a strong security posture is in the best interest of these large supplier organisations.
What happens if something goes wrong?
Even when you have put in place your own cyber security measures and criteria for your suppliers, there is still a risk that a security incident will happen. To help prepare for this, you should also ensure your organisation has a comprehensive incident response plan that will give you the framework to minimise damage and get the business operating again. In addition, it is becoming increasingly important these days is that you also ensure that your cyber insurance policy covers damage caused by supplier compromise.
How we can help secure your supply chain
Cyber security should be a key consideration in any decision on new partnerships/collaborations or decisions on suppliers, providers, mergers and acquisitions. However, sometimes it’s a matter of getting started and that’s often the hardest part.
BOM IT Solutions work with our cyber security partner Protection Group International (PGI), to offer a range of services that will help you gain a deeper understanding and more control over your supply chain management, including their Cyber Assurance as a Service offering, which enables you to call on a full team with specialist expertise for your information and cyber security requirements. This knowledge includes creating and implementing risk assessment processes, creating supplier assurance policies and procedures (such as security-related contract clauses, and due diligence questionnaires), and carrying out onsite supply chain audits.
For more information and for a free consultation to discuss supply chain risk or any other technology requirement for your business please call us on 0800 038 7222 or complete the contact form below.