Mitigating Supply Chain Risk – A CISOs Challenge

By /

n

n

UPCOMING WEBINAR “The Platform Paradigm” on March 6n

n
n
n
nSecurity adoption is shifting as nonintegrated products aren’t providingnexpected security outcomes. Join Fortra experts as we share our vision of anstronger, simpler future for cybersecurity — one that finds the rightnbalance between security outcomes and operational efficiency — powered by ancloud-native, multi-vector cyber defense platform.n
n
n
n
 
n n

 

n

Mitigating Supply Chain Risk – A CISOs Challenge

n

With greater reliance on third party software supply chains comes thenheightened risk of security issues manifesting outside of your initialnoversight and control.

n

nTo paraphrase a saying: if you’re a supplier and you think nobody caresnwhether you’re active, try getting hacked. (Our advice, incidentally, is tondo the exact opposite).n

n

nIn the last few years, awareness of the risks around supply chain securitynhas gone from … well, a lack of awareness to shouting it from the rooftops.nUnfortunately for CISOs and their teams, this has been entirely becausenthere have been so many supplier-led cyber-disasters in recent times thatnhave made front page news.n

n

nThe main problem with the supply chain is that it’s like the iceberg ofncybersecurity: you can’t see most of it. Your direct suppliers – the onesnyou actually buy stuff from – at least have the benefit that you know them,ncan ask them questions and can request evidence of their cyber arrangements.nYou probably have a proper contract with most of them, containing somengovernance controls around their attitude and approach to cybersecurity. Butnfor every direct supplier there’s no shortage of indirect ones – yournsuppliers’ suppliers, their suppliers, and so on through who knows how manynlayers. There’s not a great deal of stats out there regarding just how manynupstream suppliers one might rely on, butnnone sourcennargues that half of organisations have indirect relationships with 200 ornmore fourth-party suppliers who’ve had a breach.n

n

nIf you thought it was bad, it could be even worse. In reality, you don’tnreally have any control over your suppliers. The contract might just aboutnbennworth the paper it’s written onnn, but hey, paper’s only $10 a ream so maybe that’s not enough. What mattersnwith a contract is what happens when something goes wrong.n

n

nSupplier contracts have penalty clauses (generally regarding service creditsnin the event of a failure to deliver), criteria for early termination andnthe like. Yet service credits seldom provide recompense for theninconvenience or potential loss of business – and for all but the smallestnsuppliers, exiting the relationship can be onerous and to do so meansnfinding an alternative supplier (presumably the supplier you were workingnwith was the best choice at the time, so replacing them might be a step downnin quality or suitability).n

n

Mitigating The Risk

n

So, suppliers are a cyber risk which you can’t really mitigate very much.nBut that’s enough doom and gloom. We have painted a very dark picture ofnsupply chain risk – not least because there’s a lot of it. So how can wendeal with it?n

n

nFirst, do the simple thing: regardless of all the downsides to the “what ifnsomething goes wrong” contract clauses, you absolutely need them. Never,never be nice about them: push for everything you can, because these thingsnexist in case you need them one day. But be realistic – the larger thensupplier, the less flexibility there’s going to be in the contract.n

n

nThe main thing to do, though, is to look at the risks in two basicncategories. Firstly, the cyber risk a supplier presents to your ownnorganisation – that is, the likelihood of you suffering a cyber attack as anresult of action (or inaction) by the supplier and/or their upstreamnsuppliers. This particularly means suppliers that have some kind of accessnto your systems (support staff with remote access to fix issues, fornexample, or VPNs for data interchange) and who can cause you cyber grief.n

n

Not Just a Cyber Risk Impacts Cyber

n

Arguably much more important, is to consider the non-cyber risk: that is,nhow else can a supplier or their upstream counterparts damage or destroy ournbusiness? Had Atlanta airport, for example, considered the risk of thenshutdown of the Colonial fuel pipeline, which provided about 70% of itsnaviation fuel? Of course they had – the upshot was not headlines screamingn“Flights cancelled through fuel supply hack” but insteadn“Backupnjet fuel supplies keep planes flying”.n

n

nIn this latter case, look as far upstream as you can. If your organisationnis big enough to have the clout, work with them to understand theirnsuppliers’ threats: if they’re any good they should already have looked intonthis stuff for themselves anyway, and if they haven’t then question whethernyou should be dealing with them. Work hard on what would happen to yournbusiness if the supplier was down for 24, 48 or 72 hours – and if it were toncollapse completely. And if you’re too small for the supplier to engagenmeaningfully: guess (or, less flippantly: deduce). You should be able tonfigure out supplier risk at least at a high level, and particularly withnlocal suppliers, you should be able to figure out their suppliers for keynitems or services that form their risk profile.n

n

nFinally, bear in mind that there are companies out there that will do a lotnof your supplier stuff for you: monitor dark web sources for data that seemsnto have been stolen from them; monitor news feeds for stories of suppliersngetting hacked; watch their public-facing systems for downtime. Because ifnyou can’t do all the research and monitoring yourself, why not get someonenelse to do it for you?n

]]>

Leave a Comment

Your email address will not be published. Required fields are marked *