December 18, 2019 | Ashton Jones, General Manager
One area that has been coming up more frequently with our clients is supply chain security. The supply chain is increasingly the medium for sophisticated attackers to get in.
What is a supply chain attack?
A supply chain attack is a cyber-attack that seeks to damage an organisation by targeting less-secure elements in the supply network.
This can be through embedded code/hardware on infrastructure, tampering, poor development/manufacturing practices, people infiltration, account compromise, business process compromise, etc.
These attacks are often sophisticated and targeted.
Why should you care?
Whilst the majority of attacks you are seeing are likely to be email and scam based, some of the more serious incidents, in New Zealand and abroad, come from supply chain breaches.
Where should you focus?
Frame the risk
- Establish the context for risk based prioritisation and the framework for decisions relating to the supply chain.
- Overlay supply chain risk across your organisational risk management practices.
- Consider first reaching a base level of maturity in foundational risk management practices prior to focussing in on supply chain. Many of our clients still have other areas to prioritise that also mitigate, in part, supply chain threats.
- The ability to prioritise based on risk is a critical practice to establish.
- Never forget that you own the risk. You may provide day to day guardianship of your risk to a third party, however along with that, you need their assurance that they understand your security requirements. And that they will comply with them.
- Start with an understanding.
- Figure out what supply chain risk means to your organisation.
- Do you have an understanding of all your suppliers, information they need to support you, the access they have / what they supply to you and their security posture?
- Do you know what systems are critical, what your sensitive information is and where it resides?
- You may have an understanding of those suppliers who come through your standard procurement process. What about all of those suppliers that your employees onboard to enable their day to day work? A cloud risk assessment showing all of your cloud shadow IT and a software scan internally is a good start here and certain tools (like Netskope) will offer an index of how secure any cloud applications found are.
- This process may show a number of areas where you are not providing users with the tools they need to do their job or not making them aware of what is available.
- Review and interpret criticality, threat, vulnerability, likelihood and impact of each of the suppliers and of supply chain risks in general.
- Start with the critical suppliers who have the most access/possible impact to your business.
Respond and Monitor
Once you have an understanding put some controls in place.
Select specific areas and controls based on the level of risk they mitigate.
Start with the basics:
1) Access Control - review who has access, to what and why. Reduce access where possible, use multifactor authentication and monitor all behaviour (log and alert on anomalous behaviour). Make sure you revoke access (physical and logical) when it's no longer needed.
2) Have policies and agreements in place for access
3) Training and awareness - multifaceted approach, train:
- staff on your supplier onboarding process and the importance thereof
- staff on the approved tools and technologies the business provides
- suppliers on your security policies and other relevant policies
- Include cybersecurity as a consideration when assessing new vendors. Include regular security reporting as part of the contract and, where possible, build specific security clauses into service level agreements, and,
- ensure you have the right to audit your vendor’s performance periodically to validate the agreed level of security is being provided.
Don't use a single approach for all of your suppliers. Right size the assessment/questionnaire to the organisation you are dealing with and the level you engage them on. For example, if you have a short term service with no remote access, no data leaving the organisation and restricted organisational controls then restrict your questionnaire to just HR/recruitment related questions. You don't need to know how the supplier secures their network if they aren't storing your data.
5) Incident response - have a plan for the worst case scenario and practice these with senior management. Also exercise these with third parties - are they able to provide the agreed level of support outside of business hours when handling an incident? We often see plans that are designed for a single purpose - gathering dust. Don't let this apply to your plans.
There is a lot to take on board and much of it is easier said than done!
Security is a complex space and that is why it's important to tie decisions back to the business through risk mitigation and secure user enablement.
If you have questions please feel free to reach out.