Supply Chain Risk Management: Be prepared for cyber attacks

Different companies are connected to each other in the supply chain. But what if a supplier suffers a cyber attack? Such an IT security incident at a member of the supply chain can also affect your own company and have drastic consequences.

In 2022, up to 60% of security incidents could occur outside the boundaries of one’s own company. With forward-looking measures for supply chain risk (SCR) management, it is possible to prevent cyber attacks on members of the supply chain from also affecting your own company.

A comment from Fred Tavas of Trustwave:

The possible consequences of a cyber security incident in the supply chain include, above all, an impending standstill of your own business operations and the theft of data stored by the supplier. But how can this be prevented?

First of all, companies should know their suppliers. This point sounds self-evident – but many companies do not know exactly who is behind their suppliers. The first step on the way to secure SCR management should therefore be the listing of all suppliers. Often this is only after the amount of the service or delivery costs. Suppliers who do not reach this threshold are usually not analyzed in more detail. However, some of the suppliers that fall through the cracks in this way might be worth checking out better – like the printer of the annual corporate gifts, who owns a company’s entire list of customers.

You should then sort this list and evaluate all suppliers according to their criticality: Which ones are important for your own company? And what impact could a cybersecurity incident have on these suppliers? Of particular importance are those suppliers who have access to company systems, classified data or personally identifiable information (PII). These critical suppliers should then be further reviewed and analyzed.

Regular risk assessment is elementary

Cybersecurity frameworks help to define and monitor security policies. They contain standards, guidelines and best practices to assess individual cybersecurity risk. With regular use, continuous monitoring of IT security and systems is guaranteed. Frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework can not only be applied to your own company, but are also ideally suited for assessing the IT security risk of suppliers.

Framework evaluation questions include, for example, the vendor’s data encryption capability, use of multi-factor authentication (MFA), password policies and patching management, network architecture and segmentation, and cloud usage. Since untrue answers can also be given to assessment questions, evidence should be requested. These can be, for example, confirmations of compliance with security guidelines, reports from penetration tests, certifications such as DIN EN ISO 27001 or audits of the SOC 2 standard (System and Organization Controls 2).

Draw the right conclusions

Knowing which parameters go into the risk assessment of a supplier and how these weak points can affect your own company is elementary. For example, a supplier has SSL vulnerabilities: are these now a problem for your own company? If the provider should store the company’s customer data on a publicly accessible system: definitely; but if he only provides flowers at the reception, this weakness does not affect his own company.

Interpreting the multitude of cybersecurity reports, certificates, scans, and rich-text responses requires a wide range of knowledge. Most IT or audit generalists don’t have these, and AI-based security scans can’t process the data with accuracy either. Companies can therefore outsource the evaluation and interpretation of their risk assessment to an external provider. In addition to the quick and expert evaluation, such a provider can also offer recommendations for measures to eliminate security gaps at high-risk suppliers.

Threat detection should be part of the SCR strategy

As the SolarWinds vulnerability from 2020 showed, no amount of risk assessment can protect against a potential nation-state attack. However, a threat detection service or feature provides real-time alerts for incidents and breaches. At least that way you can react quickly and, at best, stop the threat before it reaches your company’s critical systems.

Working with a Managed Security Service Provider (MSSP) can help improve an organization’s resilience to supply chain risks. Taking appropriate action will shorten the time it takes to get an SCR management program up and running. MSSP can also help when organizations want to reconsider internal cyber risk assessments or are looking for an efficient external vendor to do this for them.