The rapid pace of digitisation and the growing reliance on third parties and cloud services is massively expanding the threat surface. In the last year, four in five organisations were notified of a software supply chain attack where adversaries tried to disrupt, compromise systems or leak sensitive data via a third party.
The expanded threat surface isn’t the only point of concern. Attack methods are evolving, and attackers are becoming smarter by the minute. For example, when Log4j was announced, hackers were making millions of attempts per hour to steal data, install malware or take control of systems through the Log4j vulnerability. Hackers also know that small suppliers often don’t have the same level of security defenses compared to large enterprises, making them easier to target.
According to chief information security officers, risks from the software supply chain—also called vendor risk—has emerged as one of the top two security priorities. So how can organisations manage supply chain risks better? Here are six tips that can help.
1. Get visibility on all suppliers
Some 60% of organisations work with more than 1,000 suppliers, while the average Fortune 500 company has at least 10,000 partners. This creates myriad opportunities for supply chain risk. Without a comprehensive understanding of what the supplier ecosystem is, where they operate from and what they supply to the business, it’s difficult to decide where to direct mitigation efforts.
Start with the relevant department within your organisation—including businesses that have been acquired—and get visibility into how many contracts and how many suppliers have access to corporate resources. This allows risk managers to understand which suppliers carry the most risk.
2. Triage by level of criticality
Once the riskiest suppliers are identified, companies must determine which of those need to be triaged from a security perspective. Start by creating a vendor questionnaire to better understand what their capabilities are, where they operate from, what type of systems they have access to and what information the organisation shares with them. Next, divide these suppliers into tiers based on risk exposure. For example, you might have five tiers, with Tier One being the most sensitive and Tier Five being the least important.
3. Evaluate supplier controls
Once critical suppliers are identified, verify whether they’re following cyber security best practices and standards so that the entire ecosystem achieves a uniform level of security. For example, regulated industries and suppliers operating in certain geographies may require commitment to strict compliance and data privacy mandates. Thus, it’s important to evaluate them from a compliance standpoint as well as a legal perspective. Don’t forget to document all supplier procedures, processes and key contacts and keep them up to date.
4. Perform in-depth assessments if needed
Critical suppliers should be looked at with great care. Study their contracts carefully and verify that all security requirements and necessary controls are clearly baked in. Check whether the vendor has had a recent security incident. Organisations can leverage open-source intelligence and deep-web investigations to understand whether there’s a history of breaches associated with the partner/supplier. If so, ask questions to re-evaluate their level of risk and ensure appropriate protocols are in place for vulnerability disclosures and incident notifications.
5. Ensure continuous supply chain assurance…