In today’s interconnected world, organisations not only have to contend with threats to their own cybersecurity, but they also have to be concerned about attacks on their supply chain as well. Supply chain risk can significantly increase an organisation’s attack surface – and the bigger the supply chain network, the more opportunities there are for a malicious actor to access its data and IT infrastructure.
With that in mind, let’s look at how to reduce risks in supply chain.
What are the risks in supply chain?
Security risks in supply chain refer to vulnerabilities within a company’s supply chain network. Companies rely on third-party vendors to provide them with software, digital services, and platforms as part of their IT infrastructure. Similarly, companies that manufacture products may depend on a network of suppliers to provide them with the required raw materials, parts, or components. In either case, a company must grant its suppliers varying levels of access to their data and IT systems.
Cybercriminals looking to breach a company’s IT infrastructure will often seek out the “weakest links” in its supply chain. Instead of targeting an organisation directly, malicious actors look for which vendors within its supply chain network have the weakest security controls and exploitable vulnerabilities within their IT networks.
Worse still, most organisations have limited awareness and visibility of the data and assets their supply chains have access to. This largely leaves them in the dark about the extent of their supply chain risk exposure – let alone the ability to prevent any potential attacks.
Examples of risks in supply chain
Here are some of the most common ways malicious actors can execute supply chain attacks.
Third-Party Software Providers
By breaching the cybersecurity defences of a software developer, a cybercriminal can potentially compromise all the companies that use its products. This may include content management systems (CMS), cloud platforms, website builders, etc. This risk is especially applicable to open-source software, as anyone can contribute to its development, making it easier for malicious actors to upload malware.
Third-Party Data Stores
Organisations regularly contract outside companies to store or process their data, e.g., data aggregators. By breaching such companies, cybercriminals can access the data they store for all their clients.
Watering Hole Attacks
Watering hole attack involves attacking a widely-used website or online service to compromise the companies that access it.
How can you reduce risks in supply chain?
There are three stages involved in developing a strategy for reducing risks in supply chain network:
- Identifying risks
- Assessing risks
- Mitigating risks
To reduce the risks of supply chain, you first need to know which risks are present and where they are to understand them better. This includes:
- Carrying out an audit to catalogue every software asset within your organisation. Each piece of software represents a potential vulnerability, so you need to create an accurate inventory to better understand your risks in supply chain.
- Similarly, create an updated inventory of your suppliers and the software or service they provide. This will paint a more accurate picture of how large your supply chain network is and how far down it you’ll need to go to fully mitigate cybersecurity risk.
- Subsequently, part of creating an inventory of your suppliers is determining if they employ any subcontractors to help them deliver their products or services, i.e., your fourth-party vendors. This can often be challenging, as you’ll need your direct suppliers to provide information about them.
- Understanding the data, assets, and systems your suppliers (and, indirectly, their sub-contractors) have access to. Subsequently, the controls you have in place to govern that access – if at all.
- Determining the level of security you need your supply chain partners to apply to your data and assets.
- Assessing your suppliers’ current security posture. This requires each third-party vendor (and, through them, your fourth-party vendors) to provide a detailed description of their cybersecurity policies and controls. Compare this to your desired level of security.
Once you’ve identified the risks in supply chain, you can assess how likely each is to occur, the severity of potential consequences, and the effect they’d have on your company.
Assign each vendor in your supply chain a risk rating based on considerations such as:
- The level of access they have to your data and network
- The value and sensitivity of the data and assets they have access to
- The severity of consequences to your company if its IT infrastructure were to suffer a cybersecurity breach
- Their current cybersecurity posture
Typically, you’ll award each vendor a rating of “low”, “medium”, and “high” for the sake of simplicity, but you may decide on alternative ratings based on your needs.
- If possible, group suppliers based on their risk rating.
- Start to map out security policies and controls for each group of suppliers, starting with the highest risk rating. Particular suppliers that pose the most risk may be prioritised separately.
At this stage, it’s time to plan and implement the security policies and controls for reducing the risks in supply chain network.
- Communicate your required security policies and controls to each supplier.
- Request that each supplier provides you with a plan, with timeframes, for how they intend to implement your required measures.
- Create KPIs to measure the effectiveness of your risk mitigation strategy. Then, ask each supplier to continuously report on their security posture and measure its effectiveness against your KPIs.
- Build trust with your suppliers by treating supply chain risk management as a shared problem. Gain their buy-in and support by consistently taking their needs into account and encouraging and valuing their feedback and ideas.
- Maintain continuous communication with your partners to achieve maximum visibility over the security posture of your supply chain.
- Treat reducing risks in supply chain as a long-term process: review your supply chain risk management strategies every few months or whenever your supply chain network changes. I.e., if you start using a new piece of software or find a new supplier.
- Pay attention to, and act on, any issues that come to light through continuous control monitoring or reporting from your suppliers. This can provide important insights that reveal where your current approach is falling short and how you can improve it.
- Encourage your suppliers to continue improving their security posture and provide any necessary advice and support that helps them do so.
Reducing risks in supply chain may seem like a daunting task, but you don’t have to tackle it alone. Contact RiskXchange for help in developing a supply chain risk management strategy.