Building a robust supply chain: how to protect against third-party risks


As global supply chains grow increasingly complex, organisations now face a distinct challenge in securing them against major cyber threats. By infiltrating one component of a supply chain, hackers can compromise the security of any other entities involved, creating the potential to cause great damage as any breach can impact all parts of the chain.

There have been several supply chain attacks this year that have made headlines, with BBC, Boots and British Airways all affected following a cyber incident impacting their payroll provider, Zellis. It later emerged that hackers were exploiting a zero-day vulnerability in a piece of software called MOVEit. In September, a ransomware attack on a small supplier put Greater Manchester Police officers’ name at risk. The 2020 SolarWinds attack also had a devastating impact enabling hackers to gain access to thousands of SolarWinds government and enterprise customers.

Despite the seriousness of these incidents, this is an area of security that is often overlooked and ignored which, if invested in, can help safeguard a business. It was revealed in the most recent cyber security breaches survey that just over one in ten (13%) businesses review the potential risks posed by their immediate supplier, and even fewer (8%) review the risk of the wider supply chain. These findings indicate that while the threat of supply chain attacks continue to grow, companies and organisational leaders still don’t fully acknowledge the threat and its severity.

For the more closely regulated industries, such as telecoms and finance, new mandates are being put in place. Both the Telecommunications (Security) Act and the EU’s DORA now have stipulations in place requiring organisations to identify, disclose and reduce the risk of working with third party suppliers. For other industries, where these requirements may not yet be in place, the need to act is still there. Not only do organisations need to protect their own assets, but they have a responsibility to protect others in their chain as well or risk a breach that prevents them from being able to conduct business with their customers and suppliers.

Understanding security risk and pitfalls

Today’s digital supply chains are evolving at a rapid pace, with more SaaS solutions and cloud services being used more than ever before. These digital pathways have unlocked efficiencies, yet they also increase vulnerabilities, with every integration introducing a new potential point of attack. To mitigate the risk of a supply chain attack, it is crucial to understand where the threat lies.

One common oversight made by companies is underestimating the risks associated with regular software updates, which, although intended to fix known vulnerabilities, could potentially serve as a vessel for malware introduction. The SolarWinds hack stands as a stark testament to this, with what was thought to be a routine software update causing the monumental security breach. Factor in tools that require API access to pivotal systems like Customer Relationship Management (CRM) or accounting software, and suddenly a situation is created where any breach could unleash a domino effect of catastrophic data loss and operational disruptions.

This risk is further magnified with every new vendor or service provider introduced to the chain. Regardless of their own robust security protocols, a lax security posture from a third-party supplier can unwittingly create a gateway for cyber attackers and offer access to multiple companies’ data and systems.

There is also the threat of criminals posing as trusted clients and suppliers and sending deceptive emails. These may not always contain malware or links to a malicious website, but can instead request that the recipient takes action, such as authorising a payment or sharing access to a system and its data. These schemes, while simple in their nature, can have damaging consequences for the recipient company, not to mention the potential to cause a great deal of distress for any individual deceived into action.

How to strengthen supply chain security

Reducing these multifaceted threats requires a multifocal approach. Supply chains must be scrutinised, and businesses need to acknowledge the inherent and emergent risks. This encompasses a nuanced understanding that even routine, seemingly secure processes carry potential threats.

Fortunately, there are several steps businesses can take to help protect their supply chains:

Education and Awareness: Organisations should provide their staff with ongoing cyber awareness training, helping them to spot and thwart deceptive interactions, be they with trusted entities or otherwise.

Ongoing Security Audits: Rigorous and frequent security audits, especially before integrating any third-party, have become essential. Not only to protect a company’s own assets, but also to demonstrate its security measures to others, with organisations that deal with sensitive data progressively demanding accreditation proof from entities conducting PEN tests. PEN tests are a crucial part of testing an organisation’s security infrastructure and should be run at the very least, annually.

Continuous Monitoring and Regular Updates: Establishing an unbroken monitoring mechanism for every component of the supply chain, paired with regular updates of security protocols and software, helps in maintaining a secure operational environment.

Collaboration and Threat Sharing: Facilitating information sharing about potential threats within the industry fosters collective threat awareness and fortification. When sectors share insights on encountered threats, they collectively enhance their defensive postures.

Introducing Robust Access Control Tools: Employing robust access tools, such as Zero Trust Network Access (ZTNA), strengthens supply chain security by ensuring third-party access to systems and data is meticulously controlled, authenticated, and restricted only to required resources and durations.

Email Domain Visibility: Maintaining visibility of your public-facing email domain and those within your supply chain reduces the potential for spoofing and allows quick identification of impersonation attempts.

Thorough Testing of Patches: Before deployment in the live environment, patches and software updates should be scrutinised in a controlled setting to ensure they do not introduce new vulnerabilities.

Accepting and Preparing for Risks: Understanding and preparing for the inherent risks of digital transformation is critical. A breach in your hosting provider, even if it doesn’t directly target your company, can still lead to a loss of your data – as evidenced in the recent CloudNordic and AzeroCloud hack.

Working together towards supply chain security

While more regulated sectors have seen mandates put in place to govern this, industries shouldn’t be complacent in addressing supplier risk.

It is crucial that supply chain security is prioritised across all organisations. Companies need to introduce rigorous security audits, continuous monitoring, as well ensure collaboration across all sectors. By implementing tools like ZTNA, companies are able to protect themselves as well as secure all other parts of the supply chain and businesses they are connected to, which will become increasingly important as other organisations build up their individual third-party risk assessments.

As supply chains continue to evolve, so must the approach to safeguarding against cyber threats. By ensuring that all parties work together to protect a supply chain, organisations can eliminate the financial and reputational risk that extends beyond a single point of compromise, as well as the knock-on effect to organisations and consumers.