Unmasking Supply Chain Vulnerabilities:

Introduction:

In today's digital age, it's no secret that small, medium and enterprise businesses alike, rely on suppliers and partners to keep their operations running smoothly. But these suppliers all bring unexpected risks and cybersecurity challenges. This guide explores the threat, how to assess it, plan and protect your organisation from cyber security risks within the supply chain.

‘So what’ if my suppliers get hacked?

While suppliers can be a real asset to your business, they can also pose some unintentional cybersecurity risks. Imagine this scenario: your supplier, the one you've trusted with your protected information like passwords, bank details, and addresses, gets hacked.

The hackers now have your credentials having breached your supplier's security. It's not just about losing your data, more importantly, they now have the keys to your castle, your network, your business and more! Keep reading …

Neglect your supply chain at your own risk

Despite grave risks, many firms neglect supply chain security. Shockingly, the 2023 Security Breaches Survey reveals few UK businesses set security standards for suppliers. With high-profile attacks demonstrating attackers' intent and capability, this escalating trend demands immediate action.

Understanding the scale, the threats and supply chain risk

12 - 1000s

No. of suppliers you have

The number of suppliers an organisation has can vary widely based on its size, industry, and business model. However, SMB’s generally have anywhere between twelve to a hundred suppliers, while large enterprises operating globally often have thousands.

Every supplier presents a potential route in to compromise your business. Therefore, large or small, your organisation has some significant risks. Equally, as a supplier yourself with customers, whatever they look like, you need to consider your risk to your customers.

Phishing Attacks pose a persistent danger, with malevolent actors exploiting human vulnerabilities through deceptive emails and social engineering.

Malware Injection looms large, as attackers seek to compromise software and systems within the supply chain. Additionally, the growing trend of Insider Threats necessitates a critical examination of internal security measures. Vigilance against these multifaceted threats demands a holistic cybersecurity approach, where risk assessment, robust vendor evaluations, and the fortification of digital supply chain links become integral components of a resilient defence strategy.

Real world examples to consider

• June 2023 – MOVEit Supply Chain Attack and data extortion
• March 2023 – 3CX DesktopApp security issue
• February 2023 – Applied Materials Supply Chain Attack
• December 2022 – PyTorch struck exfiltrating data and files
• December 2022 – ‘Fantasy’ Wiper Supply Chain Attack

Assessment and preparedness; 3 critical streams

OK, so you get it, your supply chain presents a not so insignificant risk to your organisation. To be confident that your supply chain is secure there are four commonly recognised areas of practice you need to adopt.

1. Establish the risks

To gain confidence or assurance that mitigations are in place for vulnerabilities associated with working with suppliers, you firstly need to understand what needs to be protected and why, know your suppliers and understand the risks they pose.

Where do you start?

Supply chain mapping (SCM) is the process of recording, storing and using information gathered from suppliers who are involved in your supply chain. The goal is to get a current view of suppliers, so that due diligence can be undertaken and cyber risks managed effectively.

How to: supply chain mapping

Given the complexities of the supply chain, this can be a considerable undertaking. However, on balance the risk presented versus the impact of a breach via your supply chain quite definitely outweighs the time it takes to undertake this activity. It is an essential step to managing supply chain cyber security risk and the steps you need to take to protect and defend your organisation.

1. Create an inventory file that can be used to collect supplier information in a consistent manner in a centralised secure repository
2. Record the following:
   • Who your suppliers are
   • What they provide, and the importance of the asset they provide
   • How they provide their product/service
   • How they are connected/interconnected
   • What information you share with each supplier, and whwther they share your information with any 3rd parties
   • Data and assurance officer within supplier
   • Date of suppliers last assurance assessment
   • Certifications held eg. Cyber Essentials, ISO etc
3. Don’t forget to look at sub-contractors too
4. Consider contract terms for suppliers and sub-contractors

2. Regain control

Make sure your suppliers are up to standard with your cybersecurity standards. Do they have Cyber Essentials or Cyber Essentials Plus certifications?

To that end, start by raising awareness of security within your supply chain – this can start with a simple communication stating your intentions and recognition that security is paramount.

This forms a precursor to communicating your view of security, and with it, stating what standards you demand of suppliers, then ask them to demonstrate to you evidentially that they meet the minimum standards you have set. The evidence they share should be reflected in your supply chain mapping file.

It is also worth engaging your senior management team to build security considerations into contracts, terms & conditions and enforce them as new suppliers are onboarded. Implement robust contract clauses mandating adherence to security standards, ensuring suppliers share your commitment. Of course, it goes without saying, your customers, whatever they look like, will be enforcing the same with you.

3. Build-in assurance activities by default

To fortify your supply chain against cyber threats, integrate assurance activities into your management approach.

Foster transparent communication channels with suppliers for swift issue resolution and consider cyber insurance to mitigate potential damages.

Strive for continuous assessment and monitoring, employing threat intelligence tools to stay ahead of evolving risks.

And lastly, invest in supplier education, if you can, to continually raise awareness about cybersecurity best practices and promote a shared responsibility for a secure supply chain.

4. Your own game plan

Above and beyond the usual best practice approaches to cyber security, there are a few small tricks to add specifically in relation to the supply chain, to help you defend and protect yourself from supply chain threats.

Whenever you're setting up accounts with suppliers, don't cut corners. Use unique and robust passwords; at least 12 characters, use at least one symbol and a number plus letters.

Make MFA your best friend, and ensure suppliers have Multi-Factor Authentication (MFA) set up for account access and/or specify that they switch it on for accessing shared platforms or systems to lock down unauthorised access.

Make sure you’re undertaking timely software and system patching, and where possible insist suppliers do the same to promptly address vulnerabilities to reduce risks.

Key take-aways

• Get to know your suppliers in detail to establish a programme of risk management
• Enforce security standards amongst your suppliers
• Implement continuous good practices for assessment, monitoring and communication
• Get your own house in order when onboarding suppliers

Further reading

Cyber Risk Report; identification and key learnings from gaps in your peers’ security posture

Unlock the power of Ai in Cybersecurity: A guide for IT managers in 2024