return to research

Securing the Supply Chain During Periods of Instability

supply chainpeople
Securing the Supply Chain During Periods of Instability
Download to share with your network

Five Proactive Steps Towards Stabilisation

Global pressures on the supply chain increase significantly during periods of instability and conflict. There is a heightened risk of major business disruption via cyber attacks that target suppliers. Another ‘NotPetya’ type attack that targets one affected country could have an impact felt around the rest of the world.

Organisations must review their suppliers’ inventories, potentially cutting back on their links with suppliers in affected regions.

1. Review your suppliers’ inventories

Keep up-to-date details of:

  • the exact nature of services (e.g. software design and build)
  • the type of products (e.g. computer and network equipment)
  • their main geographical locations
2. Update supply chain information risk assessments

Keep the picture of risk across the supply chain up to date, focusing especially on those in affected regions. Include lists of:

  • highest risk suppliers by criticality and geographical location
  • recently acquired suppliers (where risk posture could still be undefined)
  • recently terminated suppliers.
3. Increase efforts to manage high-risk suppliers or those with undefined risk posture

Enhance management of high-risk suppliers by:

  • ensuring all key contact information is up to date
  • updating evaluation questionnaires with specific security clauses (e.g. add in cyber resilience)
  • using continuous monitoring techniques (e.g. use open source intelligence to ensure the SSL certificates are up-to-date and perform non-intrusive surface scanning)
  • identifying potential vulnerabilities in your supply chain and pushing vendors of software to prioritise prompt remediation
  • looking for new initiatives to assess supplier security, focusing on strong software security (e.g. Supply Chain Levels for Software Artifacts (SLSA), Software Bill of Materials (SBOM)).
4. Follow a robust process when terminating supplier relationships

If a political or business decision is made to cut operations in affected areas, ensure that in relation to terminated suppliers:

  • all information is securely deleted using data sanitation techniques (e.g. cryptographic erase)
  • all physical and network access is revoked
  • all user access (including cloud-based shared data) is removed.
5. Test your incident response plan

To prepare for a scenario where a key supplier is impacted or needs to be isolated, test response plans by:

  • creating and workshopping various scenarios
  • running tabletop cyber incident exercises.