In addition to the cyber risks known by all companies, there are also those related to the supply chain, or third-party risk
The more extensive the supply chain, the more the risk surface increases. Coupled with the extension of telecommuting and the multiplication of connections, the task of the CISO becomes arduous. There are many answers, but in the face of complexity, it is critical to apply basic security measures.
Fifteen years ago, it was “simple” for a CISO or CIO to detect an anomaly on his or her network, and also quite simple to protect against attacks. Most of these attacks were carried out by humans and not by computer networks via entry points from various hardware and software. Another major change is the supply chain. Where a small or medium-sized company used to use only a few components to make its product, today the components come from several hundred companies around the world. The example of the cell phone alone speaks for itself: the components and assembly are still made abroad. This implies that a company must trust by default those who manufacture and assemble these components. This can be a risky bet.
In fact, attackers know that the supply chain is a weak-link and that risk assessment is often underestimated by organisations or States. This flaw is exploited by attackers to achieve their goals. Just think of the “backdoors” that are almost institutionalised by certain States, and that are even present in “secure” equipment.
Risk assessment and prevention: an absolute necessity for CISOs
In light of this situation, risk assessment for the supply chain has become a critical issue (regardless of the acronym used to cover this policy, C-SCRM, TPCRM or VRM…). Let’s just take the example of a computer or a phone or any other electronic object: who checks, evaluates the third parties in the supply chain? Who is able to verify among the thousands of containers in each port “hub” that the material is compliant and has integrity? We have to trust each actor in the chain. Once again, this is a risky bet. But how can we protect ourselves, at least?
How to manage third-party risk: back to basics
Dealing with supply chain risks requires monitoring a wide scope, involving both the legal department to comply with anti-corruption regulations, sector regulations and international standards (ISO 37001 for example); the purchasing and procurement department and transversal functions (IT etc.) and of course the CISO. From Tier 1 to Tier 4, how do you analyse and protect against risks?
1. Evaluate the supplier’s reputation and the risk related to the product
It is important to decouple the reputation of the supplier from the product itself. For example, a start-up may have a poor reputation rating because it has little experience in the industry, but its product may be risk-free. Audit firms can assess the vendor’s compliance with standards such as ISO 27001 (and GDPR, PCI, FCRA, SOX, HIPAA, etc., where applicable) and perform Type I or II or other SOC 2 assessments. But these assessments are primarily about the company, not the product. When working with newly formed companies, make sure you can view the company’s product controls. Independent code reviews and application vulnerability reports are also very useful, as they assess both the software code and it’s in situ penetrability.
2. Conduct a comprehensive, but tailored, vendor questionnaire
Many organisations have standard vendor questionnaires. But these questionnaires must assess the use of the product in the target environment. For example, the questionnaire for a cloud provider should be different than the one for a software vendor that is intended to be deployed internally. Be sure to ask yourself about your internal security policies: are they useful in evaluating the vendor’s risk position and its product? To properly evaluate the vendor, the questionnaire must be tailored to the type of product you are evaluating and the capabilities it will provide.
3. Deploy a periodic assessment and review program.
Onboarding third-party assets is not a “once and for all” process. Even if a product has worked perfectly for the past ten years, you need to schedule a regular review process. If you fail to do so, you put the company at risk as new vulnerabilities emerge. Assess the security of third-party products at least once a year. This review process involves ensuring that patches and updates are fully planned and consistently applied. This involves a robust testing and implementation process. If it takes you 6 months to deploy a critical patch, you might as well say it’s useless.
4. Change Management
Change management is inherently linked to the supply chain and therefore essential to address any third-party risk. The supply chain introduces new components into the organisation, components that must be assessed by each stakeholder. In fact, on the one hand, it is necessary to obtain their adhesion and on the other hand to make them responsible for the evaluation of new products, components or services with regard to their scope. Each stakeholder conducts a risk assessment based on the proposal submitted to them. A good change management process, with periodic review, is essential to making decisions that reduce third-party risk.
5. Consider external and internal environmental risks
In addition to the product, there are many intangible risks that can impact the supply chain, such as human and geopolitical factors. For the former, it is, for example, difficult to trust a supplier with a high turnover of top managers. The stability of the decision-makers is a guarantee of the quality of the product. On the geopolitical side, country risk should be carefully monitored. For example, in times of inter-state conflict, a software company based in a war-torn country may see its security rating lowered by other nations due to the pressures of the conflict.
About the Author
Dan Bowdrey is Sales Director, UK and Ireland at www.Semperis.com. Dan brings over 25 years’ experience within the IBM and Microsoft messaging and directory services space to his role as Sales Director, UKI. His previous roles have included managing some of the most diverse and complex infrastructure environments globally across a range of industry sectors. More recently specializing in Directory Synchronization and migration services from Active Directory to the cloud. Dan advises on best practice and protection in highly complex cross-cloud and hybrid environments.
Featured image: ©Enanauchit