Managing Supply Chain Risk

According to the Hiscox Cyber Readiness Report 2019. 65% of organisations experience one or more cyber attacks as a result of a weak link in their supply chain.

Unfortunately, you have little to no control over your suppliers' security policies and according to the Department for Digital, Culture, media ad Sports Cyber Security Breaches Survey 2019, only 18% of businesses require their suppliers to hold any security standard.

With smaller suppliers, you can impose specific security criteria such as that they must hold Cyber Essentials certification or perform regular Penetration Testing to work with you. However, for larger suppliers, this is not the case.

When you’re working with huge suppliers like Amazon and Microsoft you won't be able to impose security criteria, but you would expect them to have a strong security posture you can trust. Unfortunately, this isn’t an accurate assumption for all large suppliers.

Take NotPetya for example. The origin of this attack was the widely used Ukrainian accounts software M.E.Doc. The developers of this software had poor security controls and Russian State actors were able to gain access and infect their servers. Once a user updated their software, they also became infected and the attack spread across the world.

The key takeaway here is that M.E.Doc was regarded as a trusted supplier for most businesses in Ukraine and when we see a supplier as trusted, we let our guard down and often don’t question their security measures, sometimes to our detriment.

So how do you consistently assess the level of risk each supplier brings to your organisation?

Synergy within your organisation between those responsible for both cyber security and procurement is essential. However, much of the assessment will depend on the criticality of the supplier and also the access they have to your systems and networks.

At a basic level, the process of assessing the level of risk should include:

• Consider the criticality of the supplier, i.e. Do your core operations depend upon this supplier?
• Consider their access, e.g. Are you sharing data with the supplier? Do they have access to your systems?

Once you have established the supplier risk levels, you will need to:

• Define your security requirements i.e. What assurance do you want from high, medium and low-risk suppliers?
• Determine how the supplier can best demonstrate compliance with your requirements, e.g. onsite security audits, completion of a security questionnaire, proof of Cyber Essentials certification etc.

In the case of large-scale suppliers, it will be unlikely you will be able to perform an onsite security audit or complete a security questionnaire. However, many of these organisations will already publish and have readily available information around their security controls and certifications. In these cases, you’ll probably be accepting the risk, with the understanding that a strong security posture is within these suppliers best interests.

What happens when something goes wrong?

You’ve put in place your cyber security measures and criteria for your suppliers to cover every base. But its impossible to account for every risk and implement every defensive measure within your suppliers systems so what happens when something goes wrong and your supplier is breached, resulting in your organisation also being compromised.

How do you minimise damage and disruption

• Implementing a comprehensive incident response plan will give you the framework to minimise damage and disruption and get your business operating again.
• Ensuring your cyber insurance policy covers damage caused by supplier compromise will also help minimise damage and disruption in these circumstances.

Cyber security should be a key consideration in any decision on new partnerships and collaborations or decisions on suppliers, providers, mergers and acquisitions. SES offers a full suite of services to help you gain a deeper understanding and greater control over your supply chain management, including a Chief Information Security Officer-as-a-Service offering, which enables you to call on a full team with specialist expertise for your information and cyber security requirements. This knowledge includes creating and implementing risk assessment processes, creating supplier assurance policies and procedures (such as security-related contract clauses, and due diligence questionnaires), and carrying out onsite supply chain audits.

For more information on this service and how SES can help your organisation manage risk in your supply chain, please get in touch to speak to one of our specialists. 

This article was originally published by our Cyber Security Partners PGI and can be found here. The article has been updated for the benefit of our clients.

 © SES Secure Limited and ses-escrow.co.uk, 2020. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content.