All businesses have a supply chain, no matter what size of business you are. As businesses grow, their supply chain is likely to grow even further. Just think about any company supplied device you have and the amount of applications and services installed on it… they soon add up!
So, what’s the issue?
Outsourcing comes at a cost
It’s good being able to outsource things, especially when there are lots of vendors and a competitive market on a range of services provided. Whether it’s your endpoint security, payroll or software development for example, it’s not always possible to have a solution to everything in house.
The problem is: the bigger your supply chain, the greater your risk exposure.
Take for instance if your business uses an outsourced HR service. Yes, it has its benefits with having a neutral third party to resolve any potential issues, and less resourcing needed internally in both personnel and equipment. However, you’re supplying the third party with all your employees’ personal data. You need to consider: do you trust the third party’s security with storing and handling that information? Imagine they have a security incident and employee data is leaked; what would the consequences be for your employees and what impact would this have on your business?
A recent example is the MOVEit vulnerability. Professional services providers, Aon and Zellis, were victims of the attack triggering cyber attacks on their clients who they hold data for. In this, companies such as British Airways and Boots respectively were affected, with data relating to their employees being leaked and asked for ransom to avoid the data being leaked.
So, there are a few key questions you need to know the answers to:
- Who are your suppliers?
- What data do you share with them?
- What processes do you have in place to reduce risk exposure to third party attacks?
Know your supply chain
If you’re a big company, I expect it can become an extensive list of third party suppliers. The way to look at it is that all your suppliers have the ability to provide a backdoor or channel into your company. Maybe not always in the literal sense, but in the way that their lack or ineffectiveness of security can lead to some kind of disruption or damage to your business.
Therefore, it’s important to know who your suppliers are, and more importantly, who the critical ones are.
Think about what’s critical to your business operating. If that’s the availability of your operations, you might want to consider the software applications you use. It only takes one third party to be subject to an attack inserting malicious code into software and, on install of the latest software update, it could be introduced into your network. What will be the consequences: could you be held to ransom? To what capacity can you still operate? Mapping your supply chain back to your critical operations will help you to shortlist those that are your critical suppliers.
Sharing data leads to greater risk
Is data shared with your third party suppliers? If not, then it already begins to reduce your risk. However, in today’s interconnected world, it is unrealistic to reduce your data sharing down to zero.
There are many cases where you might be sharing personal data. If you’re using a HR or payroll service, or a CRM, then that may be your employee or customer data. This means the risk of consequences grows. These may bring legal challenges, regulatory fines and embarrassing reporting leading to damaged reputation.
Another thing to think about is whether you’re sharing any data that is considered your organisation’s IP. Imagine there’s a cyber attack and an attacker is able to use that to their advantage, such as extracting and selling that on to one of your competitors. It’s worth considering how that may affect your business and the market you operate in - and put in further safeguards to protect it if it’s critical.
Safeguards to reduce exposure
Procurement processes are a good place to start. A survey conducted in 2022 by the government found that only 13% of businesses assess risks posed by their critical suppliers and cyber security did not play a significant role in the procurement process. It goes to show that there is not enough emphasis on how important it is to set expectations with suppliers.
There are different ways to go about this and it depends on how critical the supplier is and what they are doing for you or storing. One way is to contractually expect that the supplier has a formal cyber security certification, for example, Cyber Essentials or ISO 27001. Another is to specify bespoke requirements for the supplier to meet. And, to go one step further, to specify bespoke requirements… but also audit them against the requirements.
Something is always better than nothing, but ensuring a supplier is meeting requirements and not just relying on them meeting those by hearsay is important.
Knowing named security contacts for your suppliers is also useful. In the instance of cyber incidents, you’ll be able to identify who you need to specifically contact at your suppliers and this will help you reduce response time and react quicker to any incidents.
There’s always going to be some risk involved
Compliance with standards and frameworks put an emphasis on supply chain management. That’s no surprise, given it’s unrealistic to have no suppliers and outsource nothing at all. It’s a good reminder that if it’s referenced in places like ISO 27001 and CIS Critical Security Controls, it should prompt you as best practice to implement recommended safeguards to reduce the exposure.
Even though there’s always going to be some risk, it’s how you understand and manage it and your supply chain, by applying the right precautions and controls, that makes a difference.