Making your weakest link your strongest asset - how to get supply chain security right
Do you know how many vendors make up your supply chain? If you count all your cloud and software providers, business contractors, building maintenance engineers, logistics suppliers and equipment manufacturers the number could easily run into hundreds of individual businesses for even a mid-sized firm. This complex web of global inter-dependencies makes the world go round. But it also exposes organisations to serious cyber-risk. In fact, some experts have claimed that 80% of information breaches start in the supply chain.
The more unmanaged suppliers you have, the greater your potential risk exposure. But there are things you can do to mitigate these risks. It all starts with end-user education.
A complex web
No modern organisation could function without a complex network of firms on which it depends and which depend on it for vital products and services. There’s just one problem: in our digital-first world there are multiple points of weakness for cyber-criminals, hacktivists and even nation states to take advantage of. Recently, for example, GCHQ’s National Cyber Security Centre (NCSC) issued a supply chain risk warning for cloud-enabled products and AV tools in the face of increasing concerns over Russian state attacks. NCSC technical director, Ian Levy, stated: “Our advice in this space is a bit complex and nuanced. That’s because it’s a complex problem with lots of nuances.”
So, what are the main supply chain cyber-risks out there? To quote the government’s CERT-UK: “With information and security arrangements shared across a supply chain, the cyber-security of any one organisation within the chain is potentially only as strong as that of the weakest member of the supply chain.”
Supply chains within supply chains
There are several ways your organisation could suffer a compromise leading to information theft or a damaging service outage. The first lies with the digital supply chain. Most organisations today use software and services from third-party providers. But what happens when malicious actors plant malware high up in the supply chain? This happened last August when several Chrome extensions were compromised after their author’s Google Account credentials were stolen. They were then used to serve malicious ads and steal CloudFlare log-ins from those who had unwittingly installed them.
The same kind of attack was the starting point for the infamous NotPetya ransomware campaign of June 2017. On this occasion, Russia-linked hackers infected popular Ukrainian accounting software ME Doc after an administrator at the firm had their account credentials stolen. The infected software was then used to distribute ransomware to several organisations in the country. However, it ended up spreading around the globe via multi-nationals’ VPNs.
In an example of the kind of complex supply chains within supply chains that make cyber-risk even harder to contain, NotPetya-related outages at some of these firms then had a huge knock-on effect for their customers. Global shipper Maersk and FedEx subsidiary TNT each claimed the outages cost their company $300mn, while drug-maker Merck had similar bad news.
Another way organisations can be affected is if hackers steal the access credentials they use to log-on to the corporate network. It’s what happened in the now-infamous Target breach, where an HVAC company was initially compromised, providing attackers with virtual keys to the retailer’s cyber-front door. Law firms are another often targeted weak link in the supply chain — as witnessed by the Panama Paper and Paradise Paper leaks, which came about after hugely sensitive information was stolen from offshore legal companies.
Even companies which should know better have been compromised to provide hackers with access to valuable data on their clients. In the case of Deloitte, log-ins were stolen for an account left unprotected by multi-factor authentication (MFA).
The impact of such incidents could be catastrophic, for the bottom line and the long-term reputation of an affected company. Few people remember the supply chain minnow that was initially to blame: it’s the big fish that was breached that sticks in the public’s mind. So what can we do to mitigate supply chain risk?
Organisations must start by understanding clearly their place in the supply chain, and secure both their dependencies and those organisations dependent on them through improved collaboration. Communication is key, and standards can help to establish baseline security and a common language of risk. CERT-UK recommends the ISO 27000 and 31000 series as a good place to start. But for it to be truly effective, you must ensure that the same security standards flow all the way down to sub-contractors, as these will be your next weakest link.
This is no time for heavy-handed demands. Create win-win relationships rather than purely transactional ones with your suppliers and the result will be a safer and more secure supply chain that benefits all stakeholders.
Technology and process upgrades may be necessary. MFA and least privilege access policies, intrusion prevention systems, continuous monitoring and SIEM, effective patch management, and joint incident response plans are all key best practice steps. It’s particularly important to ensure that any personnel changes are immediately communicated to supply chain partners so that account profiles can be updated. Again, effective communication between HR, IT and security teams is the name of the game.
The best technology in the world won’t be any use if your employees, and those in supplier organisations, still get fooled by phishing attacks. Particularly in smaller firms, many individuals may struggle to see the bigger picture. They need to be taught how just one misplaced click could end up impacting tens of millions of innocent consumers. Vigilance and common sense should be their watchwords online.
One last thing to remember: supply chain security is not a magical destination that you will one day reach. It’s a journey that will continue to change and evolve over time, just as the nature of cyber-threats evolve. So let’s start that journey today.
New speakers announced for Procurement & Supply Chain Live
Two leading executives in supply chain transformation have been confirmed for this year's Procurement & Supply Chain Live event.
Procurement & Supply Chain Live is the perfect opportunity to hear from prominent executives at the world’s leading procurement and supply chain businesses. The event will be streamed live from Tobacco Dock, London via the leading networking platform Brella.
The three-day show, running 28-30 September 2021, is an essential deep dive into the industry, with influential speakers sharing insights and strategies from their organisations, group roundtable discussions, and fireside chats.
We take a look at the latest additions to the already amazing lineup of speakers announced so far, and what they will bring to the flagship event.
VP Global Supply Chain at Macmillan Education Ltd
Shaun Plunkett has over 30 years of supply chain leadership experience in FMCG, entertainment and media sectors, supporting multi-billion euro businesses including Universal Music, EMI, Sony Music, Harper Collins and Associated British Foods. He has a track record of successfully delivering transformational change coupled with award winning operating models and developing and coaching global teams. Plunkett says that challenging the status quo is at the heart of what drives him on a daily basis - and encouraging others to continuously push the boundaries.
Read more about Plunkett’s involvement in Macmillan Education’s supply chain transformation HERE
Digital Transformation Lead, Oracle UK and Board Member, CILT at Macmillan Education Ltd
Vikram Singla is digital transformation director at Oracle, UK. He helps supply chain and finance business leaders leverage technology to deliver meaningful business outcomes for their organisations. He also serves on the board if CILT (Chartered Institute of Logistics and Transport) – UK and is an Honorary Visiting Fellow at Anglian Ruskin University. Singla has more than 25 years’ experience in the technology sector, and in global supply chain transformation, including deploying business transformation programmes for Fortune 500 firms. In his spare time, Singla is a passionate brand ambassador for Cancer Research.
Plunkett and Singla join a growing line-up of speakers, including: Sheri R. Hinish, IBM; Robert Copeland, G4S; Daniel Weise, BCG; Mark Bromley, Mastercard; David Loseby, Rolls Royce; and Ninian Wilson, Vodafone Procurement Company.