In his previous blog, ITC Cyber Advisor Neil Lappage discussed why you are only as secure as your weakest link when it comes to your supply chain and how the evolving threat landscape demands an integrated approach to cyber security.
As companies evolve their operations, the dependency on third-party suppliers means that organisations are not always aware where their crown jewels are and who has access to them, let alone what impact these dependencies will have if something goes wrong. Information with context is knowledge; sophisticated attacks not only target information but also business processes.
The increase in sophisticated attacks makes the management of information and data within your supply chain all the more important. Organisations need visibility of everyone who has access to their networks and information, and a closer guard on their gateways in order to identify and manage risk.
One of the top ten ITC 2022 cyber trends forecasted is the rise of third-party supply chain attacks with SolarWinds-style headlines set to plague firms that do not invest in the risk management trifecta: people, technology, and governance.
Six steps to securing your supply chain
Protecting your supply chain requires a rethink of the way you approach security; there is no silver bullet when it comes to defending your organisation. Leading and managing the risks will achieve improved business outcomes. Therefore, security needs to be integrated into your business practice and operations.
- Know the information stored and processed by your supply chain
Never forget that any party with access to your information is a potential security risk; knowing the role each supplier plays in your operation and what data they have access to is important. The first step in risk management of your supply chain is to always know who stores and processes your data; this includes sub-contractors. Always have a clear overview of the data stored in your organisation; being able to identify and classify third-party risks of storing and processing such data helps to truly understand your dependence on digital.
- Agree security requirements during procurement and monitor regularly
To get ahead of the game, from a risk perspective, it is critical to assess third-party solutions during procurement and ensure that the business engages third-party suppliers with their eyes wide open. Completing an assessment at this early stage also provides the opportunity to agree security requirements with each supplier, where necessary. The assessment should also consider the organisation’s security capability and management system.
- Reduce the blast radius following compromise of the supply chain
It is important to acknowledge that there is a reliance on others to ensure that good security practices are consistently applied. The decision to engage third parties should be risk based. Where appropriate, deploy security controls which will reduce the blast radius of a third-party breach; for example, take a Zero Trust approach to reduce the level of access that a third party may have to ensure the principle of least privilege is achieved.
- Complete your own due diligence
Tabletop reviews and third-party audits provide value but sometimes not the ground truth. Using tools that take an outside in view of an organisation’s digital footprint can be a good indication of things to come. Completing such due diligence can be an acid test; the identification of exposed credentials, data, or systems access on the dark web can help to drive conversations and decision making which will ultimately reduce risk and achieve better business outcomes.
- Test the security of your supply chain
To remain secure in today’s environment, relying solely on periodic checks is a distant memory since a consistent secure baseline is key to reducing exposure. There is an increased need for mature security practices based on the criticality of the information asset stored and processed. At a minimum, organisations should mandate that their supply chain tests their controls on a regular basis. However, to remain secure, there is a requirement for tools and processes to ensure that misconfigurations are detected and remediated in real time.
- Make your people the first line of defence
Human error accounts for a significant proportion of all breaches. Protecting the human element of your organisation is as important as having good technical solutions in place. An effective cyber awareness programme makes cyber security everyone’s responsibility; reduce your risk by equipping employees with the necessary knowledge and best practices to be more vigilant in their actions.
By adopting a mindset of continuous assessment and improvement and by viewing cyber security as an extension of your organisation’s workflow, you can take the steps necessary to assess, secure, and monitor your supply chain – putting you back in control.