Cyber Risk Management in the Supply Chain

In today’s business world, operating within a supply chain is standard procedure; it’s how we ensure the smooth delivery of products, systems and services to the end customer, but these digitised webs of businesses working together can be large and complex, introducing various cyber risks

Supply chain attacks are a popular method for cybercriminals to reach multiple businesses or a very large business at the top of the chain, often by targeting weak links. The first quarter of 2021 saw a 42% increase in these kinds of attacks and it’s showing no signs of slowing. Supply chain attacks can be detrimental, as we saw with the attack on SolarWinds in 2020 which affected many companies’ systems, including those of huge corporations like Microsoft and Government departments.

No matter the business, putting the right measures in place to manage cyber risk in your supply chain is crucial to protecting your business and minimising the chance of an attack.

Understand the risks

The main vulnerability for the supply chain begins when companies start sharing their data and access to their systems. Of course, this is often necessary, but a good first step is knowing who you are sharing with and what the value of those assets are. Take care to assess each supplier your business works with and what their security looks like. Do they have adequate controls in place? What processes and policies have been implemented to ensure data is protected?

Depending on how valuable the data that you are sharing with suppliers is, you’ll want to know there are sufficient protective measures in place to keep it secure. Vetting your suppliers and making this part of your contracting process will go a long way towards establishing control over any risks and introducing methods for mitigating them.

Establish security requirements

Once you have understood the risks to your supply chain, beginning to mitigate them is the next step. Often, businesses will choose to categorise their suppliers into particular risk profiles depending on the level of access they might have and how sensitive the data being shared with them is.

Within these risk profiles, minimum security requirements and expectations should be set. This might be communicated via a supplier policy. Your policy can outline what measures should be in place to ensure a secure environment, extending also to any subcontractors your supplier may wish to hire.

It can be helpful to point to recognised cyber security standards that cover all the important security controls and policies you require your suppliers to meet. In the US, some popular ones include ISO27001, which is internationally recognised, and the NIST framework. In the UK, the Government’s cybersecurity standard, Cyber Essentials, helps to reduce 80% of cyber risk by aligning with five critical technical controls. Complying with these standards can be an easy way for your suppliers to demonstrate a good cyber security posture.

Cybersecurity Awareness

Most cyber attacks are down, in some part, to Human error, so making sure your employees and suppliers’ employees are properly vigilant is crucial. Creating a culture of cyber security awareness within your company and supply chain, ensuring key staff are trained on how to use systems safely and practice good cyber hygiene.

You might consider sharing resources with your suppliers to help them educate their employees around cyber risks and what they can do within the company to help reduce them. There are numerous free online exercises and articles offering guidance to businesses and many companies offer phishing simulations, phishing being one of the most popular attacking techniques for hackers.

Secure Data

Data travelling through your supply chain, or even with your cloud provider, can be vulnerable, so it is important to maintain good security, ensuring data is encrypted when being transferred and channels are secure.

Knowing what data you have within your supply chain and who has access to it plays a vital role in keeping it protected. That includes all the data your own business holds in its systems and any data backup systems, as well as data you share with your suppliers. The data may also range in sensitivity, so classifying your data and labelling it correctly can help to manage it properly and stop it from falling into the wrong hands.

When it comes to supply chains, the security of each business is not wholly an individual responsibility. It is in every business’s best interest to maintain good standards and have a good picture of the security processes, policies and solutions implemented by each business. These will all play a major role in mitigating the cyber chain threat, as well as proving to clients and new business that you are taking the protection of their data and your cyber security seriously.

About the Author

Clive Madders is Chief Technical Officer and Assessor at Cyber Tec Security. He works directly with businesses as they achieve the UK Government’s Cyber Essentials certification, giving him a deep understanding of where the common vulnerabilities lie for small-medium sized businesses. With over 25 years’ experience in the industry, Clive has built up an extensive repertoire as an Enterprise Solution Architect, delivering managed ICT support services, cyber security certifications and advanced security solutions to help improve the cyber security maturity of businesses across the UK.

Featured image: ©Temp-64GTX