05 November 2021 | Scott Nursten
When SolarWinds network management system was attacked in December 2020, it compromised the supply chain of over 18,000 organisations, including the Pentagon. The more recent Kaseya attack infected over 1,500 small to medium-sized companies with ransomware, demonstrating that these attacks can impact any type of business – even technology specialists.
Avoiding a similar nightmare means zero trust and zero assumption. If suppliers have access to your data, you need assurances that they operate to the same security standards as you do. By going up the supply chain, attackers can significantly magnify both damage and revenue. Instead of disrupting one business and collecting one ransom, they could – as in the case of SolarWinds – potentially multiply results 18,000 times.
Securing your supply chain means working together
In 2018, GCHQ’s National Cyber Security Centre (NCSC) published its principles of supply chain security, in partnership with the Centre for the Protection of National Infrastructure (CPNI). The CPNI’s purpose is to safeguard UK national security, taking action to reduce our vulnerability to terrorism, espionage and sabotage, among other threats.
There are twelve principles which can be grouped into four clear stages, each building on the last to help you achieve cyber, physical and personnel security with your suppliers. Insurers won’t pay out on consequential losses without evidence, making it your responsibility as a business owner to ensure a provable audit trail of security measures.
First, you need to gather information to create a clear picture of your entire supply chain. This might take significant time and effort but it’s essential. Start with your own business. How sensitive are your contracts and who has access to your information? Who are your suppliers and what does their security look like?
You need to feel confident that your suppliers have security measures in place that align with your own. Document everything you need to know - and don’t forget subcontractors. Once you have this comprehensive view, you can create appropriate risk profiles and levels of data protection you expect suppliers to provide.
Risk profiling can be tricky, however. The office cleaner, for instance, will carry a lower risk profile than your IT service provider. This means that a bad actor could take advantage of any position deemed low-risk status, using simple overalls as an entry card to plant, say, a USB key into a machine. Nobody would question the guy in the overalls. Access makes this persona potentially very dangerous, so how will you manage that risk?
Communicate your security standards to your suppliers and set expected minimum justified and achievable security requirements. Also make clear the implications of their failure to meet them.
Set the example you want to see in your suppliers by meeting your own responsibilities as a supplier and consumer. Raise awareness of the importance of security within your supply chain and establish a support process for handling security incidents.
You should feel confident in your approach to establishing supply chain control. You also need proof of wraparound security controls in the event of a breach. This means receiving evidence that activities are being carried out to a satisfactory level.
Contracts should have security provisions built in. Also make sure your contracts are not allowed to run on too far. We dealt recently with a client working to an agreement that had been running unchecked for eleven years. Security has moved on so far since that contract was drafted that much of it is now meaningless. It certainly would not have helped in the event of a breach.
Including assurance requirements such as Cyber Essentials Plus or ISO 27001 will ensure your suppliers’ security requirements align with your own and should automatically ensure contractual oversights don’t happen. These also provide provable protocols that can help in the event of an insurance claim. Including a ‘right to audit’ clause helps you stay in control of your contracts: encourage your suppliers to do the same.
Supply chain evolution is inevitable, so your security must continuously improve. Encourage suppliers to continuously improve in line with your own strategic plan; in order to remain competitive and win future contracts with you. Advise and support your suppliers and avoid creating unnecessary barriers to improvements, while also allowing them time to achieve acceptable security levels.
Ultimately, supply chain security is a shared issue. Aim to build strategic partnerships with your suppliers from aligned best practice. Check each other’s homework, keep communication open and frank to strengthen your weakest links, and create a body of procedural evidence to support any potential future claim.
This article originally appeared in Platinum Business Magazine