In November 2021, the UK government announced new measures to safeguard digital supply chains in the country against cyberattacks. National Cyber Security Centre’s Cyber Assessment Framework is part of the proposal to help British businesses manage the growing cyber threat. While a government mandate does help push the agenda, businesses today are aware of the risks they face in the absence of a sound cybersecurity strategy for their supply chains.
As the adoption of digital expands an organisation’s business ecosystems, risks abound. It is no longer adequate to maintain internal security hygiene. The perimeter of risk now extends to the entire vendor and partner ecosystem. Third Party Risk Management (TPRM) is now one of the top five risks for boardrooms. Managing risk in the supply chain is moving from a compliance and checkbox exercise to a strategic initiative to reduce the risk for enterprises.
Supplier-related cyber risks are growing
Cyberattacks are now far more complex and frequent as cybercriminals have become increasingly technologically savvy and vicious. On the other hand, as businesses become cost-conscious, they outsource all non-core activities to external vendors. While this helps them become more competitive and flexible, it exposes them to new risks.
It is not just their immediate suppliers that they must worry about. The risks could exist far deep into the supply chain with third or fourth-party suppliers. For example, when an organization buys hardware from a vendor who in turn uses unsecured 3rd party components in the product, it becomes vulnerable to any malicious code that may be implanted in the 3rd party component by an adversary.
consider a scenario where a retail organisation outsources a part of its IT operations to an external partner, and the partner, in turn, outsources certain aspects of the project to a small local organisation. Any breach suffered by the local organisation could have implications on the retailer.
However, most organisations do not have the visibility to assess risks and identify breaches that extend beyond the boundaries of their enterprise. Therefore, there needs to be an attitudinal shift when it comes to improving supplier security. In addition to mandating basic protocols, cybersecurity teams must place equal emphasis on taking a partnership approach which means educating the vendors and perhaps extending the company’s security umbrella onto the supplier.
There are certain best practices that enterprises must follow to protect themselves against supply chain risks.
Water-tight Supplier Contracts and Policies
Given that suppliers have a significant role in ensuring the security of your data, it becomes essential to include all necessary safeguards in the contract, such as a ‘Right to audit’ clause or agreed-upon timelines to report incidents. The agreement must provide detailed guidelines for supplier offboarding. For example, mandating that all company data must be destroyed by the supplier after it has served its purpose. Advocating practices such as third-party static code analysis, regular security scanning of local and cloud-based environments, DevSecOps, and integrity check of codes for vendors can be valuable.
- Extensive supplier profiling
Not all suppliers pose the same amount of risk. A vendor with access to sensitive data such as product design poses a greater risk than a supplier who provides packaging materials. Supplier profiles must be assessed from a risk perspective, especially when the number of suppliers runs into thousand or more. AI/ML can be used to leverage existing data from vendors to improve the vendor risk management process.
Designing a contextual questionnaire aligned to the businesses’ risk appetite and one that requires explicit evidence of policies is highly recommended. It must also align with industry standards and regulations.
- Continuous monitoring
While most organisations conduct vendor risk assessments about twice a year, this frequency might not be sufficient given the dynamic nature of risks. As the number of devices and touchpoints increases, operational security becomes as important as information technology security. In such a scenario, tools that continuously monitor external facing information, including the dark web and the organisation’s internal risk management mechanism, must be integrated to help mitigate risks.
- Defined internal Processes for vendor assessments
It serves well to define the processes beforehand, whether it is the entry and exit criteria for conducting the assessments or remediation plans in cases of issues. Well-defined SLAs for governance and tracking can help, along with standardised templates, to communicate the control expectations and risk statements to the supplier and internal stakeholders.
Internal teams must be provided training for a uniform understanding of the controls, the expected evidence, and the risks. In addition, actionable data-based insights and guidance to vendors help build better synergy. A partnership approach is particularly constructive when assessing third-party vendors.
- Breaking the siloes
Today, cyberSecurity, legal, procurement and risk teams have siloed views of the vendors and data is not commonly available and shared. Organisations must move towards a unified and integrated approach for vendor life cycle management. This can help weed out the risky entities and focus on vendors who meet the enterprise requirements.
The SolarWinds attack in 2020 was the first of the many supply chain attacks that followed in 2021 proving that supply chains are an attractive target for hackers. In August 2021, European Union Agency for Cybersecurity (ENISA) warned in a report that supply chain cyberattacks is likely to increase four times over a year’s time.
Organizations must continuously monitor and find new ways to protect themselves against the vulnerabilities arising out of the evolving landscape in the supply chain domain.