In short, the answer is no. There’s a reason Verizon coined the term, ‘supply chainpocalypse’ in their 2022 Data Breach Investigations Report. Supply chain attacks are increasing – whether it’s via the software we rely on (for example, C3X) or a spoofed email containing a malicious document from the company that supplies a key component for your product.
In this blog post, our Information Assurance team look at what you can do to manage the risk associated with your supply chain, without disrupting your operations.
You have very little control over your suppliers
The reality is, you can never be 100% certain your suppliers have a strong security posture. Your organisation won’t be able to impose security criteria on every supplier and even for those you can—without implementing good practice information security assurance measures—you can only take them at their word that they have good cyber security hygiene.
In the case of smaller suppliers, you can certainly impose criteria, such has holding a Cyber Essentials certification or regularly undertaking a penetration test. Worryingly though, according to the Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2023, only 13% of businesses (and 11% of charities) regularly review the risk that their immediate suppliers pose. While that is an increase on 2022, that number is still too low.
However, when you’re dealing with massive suppliers—like Microsoft or Amazon, for example—you won’t be able to impose security criteria on them, and it’s expected that they have a strong cyber security posture you can trust because it is in their interest to have strong cyber security measures in place. However, that’s not always the case with all suppliers.
Let’s take the NotPetya example. The origin of one of the biggest global supply chain cyberattacks to date was the widely-used Ukrainian accounting software, M.E.Doc. The developers of that software had poor cyber security measures in place, which enabled Russian-State actors to infect their servers—once a user of M.E.Doc updated their software, they were also infected. This attack resulted in the loss of millions for businesses around the world. This Wired article, which highlights the challenges, as a result of the attack, upon the world’s largest shipping company, Maersk is a recommended read on your next coffee break—the seemingly simple installation of M.E.Doc software on one computer at Maersk’s office in Odessa, caused a company-wide outage.
The key point here is that M.E.Doc was a trusted supplier for most businesses in the Ukraine because the software was used to interact with Ukrainian tax systems. When we trust a supplier, we often don’t question what security measures they have in place, sometimes to our own detriment.
Getting procurement right and ongoing assurance
Cyber security is often considered the domain of the IT department and supply chain the responsibility of the procurement team, or each business department (which has its own challenges). More often than not, ‘never the twain shall meet’. Well, not for a meaningful cyber security risk assessment, anyway.
It doesn’t actually matter which department has the responsibility of procurement, it’s the consistent approach—that includes a focus on security—that will be the most important aspect. So, how do you consistently assess the level of risk each supplier brings to your organisation? Much of this will depend upon the criticality of that supplier—if your payment portal is hacked, that’s a major operational disruption that could cause loss of income and reputation damage. This is in stark contrast to your external recruitment company being hacked and you needing to engage a new recruitment firm—it’s an inconvenience but won’t cripple your business. As such, when managing your supply chain, you need to obtain proportionate assurances to more efficiently concentrate your efforts.
At a basic level, the process of assessing the level of risk should include:
- Consider the criticality of the supplier, i.e. Do your core operations depend upon this supplier?
- Consider their access, e.g. Are you sharing data with the supplier? Do they have access to your systems?
- Once you have established the supplier risk levels, you will need to:
- Define your own security requirements i.e. What assurance do you want from high, medium and low risk suppliers?
- Determine how the supplier can best demonstrate compliance with your requirements, e.g. onsite security audits, completion of a security questionnaire, proof of Cyber Essentials certification etc.
In the case of large-scale suppliers, it will be unlikely you will be able to perform an onsite security audit or complete a security questionnaire. However, many of these organisations will already publish and have readily available information around their security controls and certifications. In these cases, you’ll probably be accepting the risk, with the understanding that a strong security posture is in the best interest of these large supplier organisations.
What happens if something goes wrong?
You’ve put in place your own cyber security measures and criteria for your suppliers—effectively covering all your bases. But what happens if something goes wrong and your supplier is breached, resulting in your organisation also being compromised?
What you need:
- A comprehensive incident response plan that will give you the framework to minimise damage and get the business operating again.
- Ensure that your cyber insurance policy covers damage caused by supplier compromise.
How we can help secure your supply chain
Of course, cyber security should be a key consideration in any decision on new partnerships/collaborations or decisions on suppliers, providers, mergers and acquisitions, but we know you know that. However, sometimes it’s a matter of getting started and that’s often the hardest part.
Our experienced team offers a range of services to help you gain a deeper understanding and more control over your supply chain management, including our Cyber Assurance as a Service offering. This enables you to call on a full team with specialist expertise for your information and cyber security requirements. This knowledge includes creating and implementing risk assessment processes, creating supplier assurance policies and procedures (such as security-related contract clauses, and due diligence questionnaires), and carrying out onsite supply chain audits.
If you’re ready to take more control of your supply chain, talk to us.
This post was originally published on 30 October 2019 and updated on 4 October 2023.
Insights
A guide to payment compliance ahead of the March 2025 PCI DSS changes
With the approaching deadline for PCI DSS 4. 0.
Arrested development - Digital Threat Digest
I am firmly of the opinion that if Google had fired all their feature developers around 2013 then their 2024 offering would be far superior to the unfortunate guff it has become today.
The election spectacle - Digital Threat Digest
Tuesday night saw the celebration of a major political event, a commemoration of political stability and continuity: Guy Fawkes Night.