Collin Robbins, Managing Security Consultant, Nexor
SMEs to multinational corporate companies experience cyber attacks on an almost daily basis. The majority of the attacks and data breaches can be found coming from the same place – through the supply chain, where security can become weak and mismanaged, or directly through people that work as part of a supply chain using their home network as an entry point to their world of work.
When an organisation enters your supply chain providing goods or services, they may need access to certain proprietary data or systems and your security could become compromised. It is highly likely parts of your supply chain will have this access, for example, providing support for equipment, which creates potential infrastructure entry points. Whilst your own company may have deployed a number of security defences to protect your network – can you say the same about your suppliers?
The supply chain is a risk for your company, no matter what your organisation does. As soon as you start to outsource, you lose an element of control over your data. Some common weaknesses in supply chain management affecting businesses are:
Lack of resources in the supply chain
In an ideal world, companies in the supply chain would take sole responsibility for dedicating sufficient resources to manage their own security. In practice, however, many suppliers do not identify security as a core business need, either unaware or indifferent to the potential impact it will have downstream. In these instances, it becomes imperative to impose your minimum expected security standards upstream, where possible, requiring the suppliers commitment to these standards as part of the deal.
This should be reviewed on a regular basis with each supplier to ensure that they maintain this capability. If not, a risk assessment should be carried out to determine if the value to your business exceeds the potential damage a supply chain attack could cause. In the worst case scenario it might be necessary to find a new supplier.
Inability to adapt to supply chain changes
When it comes to suppliers one size does not fit all, supply chains come in varying sizes and the longer your chain the more attention you need to give it. A flexible management approach should be adopted, dependant on the risk associated with each supplier. For example, the risk posed by your third party network management provider will likely be greater than the risks posed by the supplier of commodity software licences. As an upstream company you must ensure there is suitable flow down the chain that monitors security controls.
A lack of communication between business and supplier
Communication between suppliers concerning updated security measures or reporting of incidents is key across the chain. If the suppliers aren’t aware of expected changes to the security of the chain or don’t understand the steps to take in the event of a breach, cyber attacks are more likely to be successful and give criminals access to the core business. Building security requirements into the contracting process helps alleviate these issues as all parties involved will have written confirmation of security expectations. Constant reviews of the process here are essential and can help flag up any weaknesses or communication that has been missed.
How to prevent an attack through the supply chain
It is important that a business understands the risk a supplier may pose and ensure that the supply chain has appropriate security controls in place. These will vary and flex dependent upon the type of data or influence the chain has on the business. One starting point would be to ensure all suppliers attain ‘cyber essentials’, which is becoming the UK’s minimum standard of security. However, this might be insufficient for high risk suppliers.
Regular auditing of the chain
Audits of critical suppliers are important to ensure that they are safeguarding data in the ways they claim. The assessment will need to flex depending upon the risk, from a simple questionnaire to a full scale onsite 2nd or 3rd party audit – it’s all about assessing the level of threat and acting accordingly.
Making sure the chain understands the importance
Ensure that your supplier understands the procedures in place to contact you in the event of a breach. Complete a risk analysis of your suppliers to understand the knock-on effects to your company should their systems be compromised, and create a contingency plan around this. This should be set up ready to go at the push of a button if needed, mitigating the damage that can be done to your business.
Mitigate against any risks
As a company, you must decide which controls you can insist the supplier enhances in order to continue business. If they don’t comply, can you put mitigating procedures in place? If you can’t mitigate, you must then consider the impact of an attack on your business, and whether you can accept the risk and deal with it when it happens.
Cyber security is a big threat to many businesses and can impact every entity in the supply chain from the top to the bottom. It is essential that all elements of the supply chain work in tandem to maintain tight security for all involved.