Supply chain attacks are the next big emerging attack vector with the potential to cost organizations millions in damage. On a global scale, companies recognize they have cyber weaknesses but lack the visibility, tools, technologies, or practices to confidently defend against supply chain attacks.
SC Media, the leading cybersecurity source in the UK and Europe, approached our GRC Director, Alex Hollis, for his views for its supply chain attacks article, “Hackers increasingly targeting supply chains – few prepared to mitigate risk”.
Here are his comments in full:
How can organisations improve the security of their supply chains?
The risk around supply chain is often an afterthought in most businesses. Business unit and functional owners are desperate to get the resources and tools to scale or make efficiencies in their business unit and often have already identified favored suppliers before working with procurement and risk functions. This often means diligence is rushed or overlooked entirely to get through a favored supplier.
Unfortunately, when you’ve worked hard to secure the internal IT, this becomes the weakest link in the chain, for example:
The RSA breach in 2011 saw a recruitment consultancy hacked to send a convincing email containing zero-day malware into the organization. The breach resulted in massive reputational damage, as well as the financial hit of having to change out all the SecureID keyfobs.
The Target breach in 2013 saw the HVAC system compromised through its little-known supplier, Fazio Mechanical Services, to steal payment card data. Again, reputational damage and fines, legal fees and reimbursement to the tune of $420 million.
It’s unsurprising that a survey has found a trend towards this vector of attack, as we push attacks out of our own network the attackers will move towards to the path of least resistance. Sophisticated attackers have been using this method for many years; however, these methods of compromise are available to anyone with a read of a company’s website, reviewing social media or even with a phone call and social engineering. Having a list of suppliers of your target, increases the ability to compromise that target. These suppliers are external agents less well-known but often equally trusted.
What processes should be put in place?
Securing the supply chains starts with identifying the suppliers, starting with those who are crucial and have any trusted access to data. You would be shocked by the number of companies who do not have a complete list of their suppliers. With SureCloud’s work around GDPR, which mandates knowing your suppliers, we’ve helped a lot of organizations bridge this knowledge gap.
Once you know who you work with, drafting a simple assessment that asks about key controls and processes that are in place. Send that out to the vendors and carefully review the responses working together on any risk areas. In its most straightforward form this can be (and in a lot of organizations is) an Excel spreadsheet sent over email. The questions will mature over time as you start asking about more areas, but you should be sure to only ask the necessary questions of vendors. Flooding vendors with questions leads to low-quality answers due to assessment fatigue.
What are the tools needed to do so?
While Excel is a good starting point, it naturally doesn’t scale to large numbers of vendors and has no complexity around who is getting asked which bank of questions. Furthermore, given that it contains details about the compromise points for a vendor, it is not very secure.
When looking at maturing your GRC (governance risk and compliance), most tools will have Vendor/Supplier functionality built-in. This will automate and collate a lot of this information, asking the right questions, prioritizing the needed activity and then tracking that remediation.
Learn about our Third Party Risk Management here to gain control and certainty over your network of vendors.
Read the full SC article here.
SureCloud provides Governance, Risk & Compliance (GRC) applications and Cybersecurity services that give our customers certainty – of risk management/compliance and cybersecurity. Established in 2006, SureCloud is headquartered in the United Kingdom and has offices in the United States. SureCloud has more than 400 customers throughout the UK and US from the Retail, Financial Services, Government and other sectors.
About Alex Hollis
Alex has over 16 years’ experience in IT, mobile technology and software development. He has spent the last seven years specializing in governance, risk, and compliance (GRC). After just six months in the industry, Alex received a platinum-level excellence award for his work around risk bow-tie modeling, Solvency 2 and Basel 3. Now focusing primarily on operational risk, Alex has analyzed, designed and implemented GRC technology into 60 companies, including some of the largest and most complex environments. His experience spans multiple sectors, including telecommunications, aviation, pharmaceuticals, manufacturing, retail, public sector, financial services and insurance.