By: Jason Plumridge, Head of Advisory, Tesserent
The risk of cyber attacks threaten an organisation’s operations, finances and reputation, but there is one often overlooked, and significant, blind spot when considering organisational vulnerabilities: supply chain risk management. Organisations place trust in their chosen suppliers for everything from services to hardware, but this trust can be a chink in an organisation’s security armour.
When a compromised piece of equipment is introduced into a network, or when data is stored with a trusted but breached service provider, then even the most effective internal cybersecurity controls can come up short.
Supplier risk management relates to the risks of dealing with a specific entity. When you purchase a specific item or service from one party, you only need to assess a single entity. But, when assessing the risk across an entire supply chain, the scale is much broader and more complex.
Assessing an entire supply chain with multiple parties, some of which you may have absolutely no visibility of, makes the risk far greater and a serious blindspot in most organisations’ cybersecurity defences. Cybercriminals know this and are exploiting it to their advantage.
Recently, a hacking group was able to infiltrate Intel’s supply chain and embed chips with code that allowed unauthorised parties to access data from systems. This supply chain attack took advantage of the trust put in Intel by its customers and highlights the significant challenges in detecting the potential risk.
Threats to a supply chain also include communications between an organisation and its partners. Business email compromise attacks rely on threat attackers exploiting a trusted relationship. A breached email account from a trusted partner or supplier can be used to misdirect a payment to a criminal’s account, request confidential information or give access to a system.
Every organisation has a supply chain. We typically think about supply chains in physical terms, such as when raw materials are shipped to a factory where they are transformed into a useful end product before shipping to distributors and end users. But services companies using cloud providers have their own supply chains as well. Whether they are using a cloud-based business software solution or Infrastructure-or Platform-as-a-Service offerings, they have a supply chain that ultimately relies on trusting external third parties.
The challenge is to mitigate the risks
This may sound like an impossible problem to solve. But like all risks, the challenge is to mitigate the risks as much as possible so that the residual risk is acceptable and manageable.
The process starts by identifying all the third parties involved in your organisation’s supply chain. This includes all hardware and software suppliers. Then, document what services they provide and your level of dependency on them and the potential impact of a compromise. This will help you understand the risk arising from compromise from that supplier.
This can be fed into a risk register that is then monitored regularly to ensure the likelihood and impact of a risk remains at an acceptable level. Having a robust supply chain risk management framework in place is also only part of the answer. You still need controls in place to minimise the damage should a supplier be compromised and to ensure your systems and data are protected.
Supply chains are dynamic and need a risk aware culture
Incumbent suppliers can leave and new ones need to be onboarded. Organisations must have robust governance in place to manage supplier relationships that go beyond ensuring performance indicators are met. That means undertaking risk assessments before a new supplier is engaged and regular checking that security and other compliance requirements are adhered to.
For this to become embedded in an organisation, a risk aware culture is needed. Procurement teams, whether they are brought together for a specific project or part of an ongoing effort, need to think about risk from the outside of an engagement. If a potential supplier is unwilling or unable to answer your cybersecurity questions then you need to decide if that is an acceptable response given your risk appetite.
Supply chain risk management is complex. But, ultimately, the questions you are trying to answer are “Do I trust that supplier or partner?” and “Do I have appropriate controls in place should they be compromised?”
Australian organisations can no longer afford to overlook this blind spot in their security defences – supply chain risk management is a critical factor in your cybersecurity strategy.