Most companies can no longer function and remain competitive without relying on some form of software or system that is owned or supported by another organisation. Supply chain security has rapidly evolved from focusing on the protection of physical security to needing an experienced view on cyber security to protect data and information assets.
We are all relying on our suppliers, and their suppliers in turn, to effectively manage their security, and as threat actors continue to develop their techniques and increase the volume of attacks they make in to multiple supply chains, more and more organisations are at risk.
As the UK Governments 2021 Cyber Security Breaches Survey highlights “the majority of organisations of all sizes have not formally reviewed the risks posed by their immediate suppliers and wider supply chain”. It’s surprising to read on further in these findings and discover that lacking time, information and knowledge are the main reasons for not reviewing supply chain security risks. A common theme when it comes to cyber security in many organisations, and one that we hope we can continue to help address.
The bottom line is that supply chain attacks lead to operational disruption, financial loss and reputational damage, and this can impact businesses and organisations of all sizes from multiple angles.
As IT services are so commonly outsourced let’s start by looking at the supply chain risks present in these relationships. Although we don’t seek to start a relationship with a negative stance, it’s prudent to be aware that as soon as you outsource your IT services to a 3rd party your systems are linked to theirs, which means that any weak points or risks in their systems become yours. Beyond this, your IT provider may well be using other 3rd parties to enable the delivery of their services to you, so by virtue of this you also inherit risks from the connected networks of your supplier. It’s getting complicated you might think, well that’s because it is.
A natural extension of outsourcing IT services is organisations using cloud services. Cloud providers hold large amounts of your data and that of your customers, often this might be held in other countries and be supported by another organisation working with your direct supplier. Methods that attackers use to gain access to the data held by cloud services are multiple and include password spraying, credential stuffing and phishing – their key aim being to gain access to systems that can have a direct impact on organisations within the providers customer base. Microsoft have been tracking the work of Nobelium (think SolarWinds) and report that one of their latest attack methods is to target cloud services providers as it allows them to target multiple organisations at the same time.
An increasingly common part of the supply chain for SME businesses is to outsource some core functions such as HR or Payroll. Both of these providers hold very sensitive information not only about your business but also your employees. They may have access to your banking details, and are most likely supported again by other organisations who you don’t directly have a contractual relationship with. The layers of risk inherent in these relationships are not to be ignored as it is here that your business could be at risk of very real losses or damage, so diligent sourcing and management of suppliers is key.
As mentioned, it’s hard to run your business without having suppliers, however it’s not just their systems opening you up to supply chain security risks, their people and processes add to the risk level. Protecting yourself from Ransomware attacks or the impact of employees interacting with Phishing emails is something you can have direct influence over, however your suppliers need to be as vigilant if not more so as the potential knock on impact of them suffering one of these attacks could be catastrophic for their customers. Due to the ways in which attackers deploy these campaigns one of the best layers of protection remains user training.
Ensuring that your own staff are trained and have the best possible levels of awareness when it comes to cyber security is a wise investment to make, and it also shows to your suppliers that you are committed to protecting your business. In turn this will give you more leverage when it comes to asking this of your suppliers, not only this but you will also be able to talk with real experience about the positive impact such training & awareness has for the people and business.
Now that you have a better understanding of what some of the key supply chain security risks could be for your business, it may feel overwhelming when thinking about where and how to begin securing your supply chain. A good starting point would be to invest time with a cross functional team in working out what’s of most importance in ensuring delivery of products, services and systems for your organisation. This will give you an initial focus. Also, if you are starting from the very beginning it would be valuable to spend time setting some minimum standards, and not trying to achieve every possible measure from the get go, it may help make this process feel more manageable.
Once your supply chain security is in focus it is going to be a very dynamic part of keeping your business secure from cyber threats. Changes within the business and operations can impact the supply chain and need to be communicated to suppliers to ensure they are still delivering what you need of them. Beyond this, changes in supplier businesses are something you will need to be kept abreast of too as the effects of these may require changes to your security approach.
Working with specialists can help cut through the concerns where you may be overwhelmed, struggling to prioritise your focus or indeed burying your head in the sand and hoping all will be okay. Supply chain security need not be any of this with the right support in place that can aid you in building and developing your knowledge and teams to the levels they need to be at, in order that you can take real ownership of protecting your organisation.
In a 3rd piece looking at supply chain risks we will dive in to the various ways you can invest in keeping your organisation as protected as can be and how cyber security is part of a process of continuous improvement in today’s threat landscape.