Making your weakest link your strongest asset - how to get supply chain security right
Do you know how many vendors make up your supply chain? If you count all your cloud and software providers, business contractors, building maintenance engineers, logistics suppliers and equipment manufacturers the number could easily run into hundreds of individual businesses for even a mid-sized firm. This complex web of global inter-dependencies makes the world go round. But it also exposes organisations to serious cyber-risk. In fact, some experts have claimed that 80% of information breaches start in the supply chain.
The more unmanaged suppliers you have, the greater your potential risk exposure. But there are things you can do to mitigate these risks. It all starts with end-user education.
A complex web
No modern organisation could function without a complex network of firms on which it depends and which depend on it for vital products and services. There’s just one problem: in our digital-first world there are multiple points of weakness for cyber-criminals, hacktivists and even nation states to take advantage of. Recently, for example, GCHQ’s National Cyber Security Centre (NCSC) issued a supply chain risk warning for cloud-enabled products and AV tools in the face of increasing concerns over Russian state attacks. NCSC technical director, Ian Levy, stated: “Our advice in this space is a bit complex and nuanced. That’s because it’s a complex problem with lots of nuances.”
So, what are the main supply chain cyber-risks out there? To quote the government’s CERT-UK: “With information and security arrangements shared across a supply chain, the cyber-security of any one organisation within the chain is potentially only as strong as that of the weakest member of the supply chain.”
Supply chains within supply chains
There are several ways your organisation could suffer a compromise leading to information theft or a damaging service outage. The first lies with the digital supply chain. Most organisations today use software and services from third-party providers. But what happens when malicious actors plant malware high up in the supply chain? This happened last August when several Chrome extensions were compromised after their author’s Google Account credentials were stolen. They were then used to serve malicious ads and steal CloudFlare log-ins from those who had unwittingly installed them.
The same kind of attack was the starting point for the infamous NotPetya ransomware campaign of June 2017. On this occasion, Russia-linked hackers infected popular Ukrainian accounting software ME Doc after an administrator at the firm had their account credentials stolen. The infected software was then used to distribute ransomware to several organisations in the country. However, it ended up spreading around the globe via multi-nationals’ VPNs.
In an example of the kind of complex supply chains within supply chains that make cyber-risk even harder to contain, NotPetya-related outages at some of these firms then had a huge knock-on effect for their customers. Global shipper Maersk and FedEx subsidiary TNT each claimed the outages cost their company $300mn, while drug-maker Merck had similar bad news.
Another way organisations can be affected is if hackers steal the access credentials they use to log-on to the corporate network. It’s what happened in the now-infamous Target breach, where an HVAC company was initially compromised, providing attackers with virtual keys to the retailer’s cyber-front door. Law firms are another often targeted weak link in the supply chain — as witnessed by the Panama Paper and Paradise Paper leaks, which came about after hugely sensitive information was stolen from offshore legal companies.
Even companies which should know better have been compromised to provide hackers with access to valuable data on their clients. In the case of Deloitte, log-ins were stolen for an account left unprotected by multi-factor authentication (MFA).
The impact of such incidents could be catastrophic, for the bottom line and the long-term reputation of an affected company. Few people remember the supply chain minnow that was initially to blame: it’s the big fish that was breached that sticks in the public’s mind. So what can we do to mitigate supply chain risk?
Organisations must start by understanding clearly their place in the supply chain, and secure both their dependencies and those organisations dependent on them through improved collaboration. Communication is key, and standards can help to establish baseline security and a common language of risk. CERT-UK recommends the ISO 27000 and 31000 series as a good place to start. But for it to be truly effective, you must ensure that the same security standards flow all the way down to sub-contractors, as these will be your next weakest link.
This is no time for heavy-handed demands. Create win-win relationships rather than purely transactional ones with your suppliers and the result will be a safer and more secure supply chain that benefits all stakeholders.
Technology and process upgrades may be necessary. MFA and least privilege access policies, intrusion prevention systems, continuous monitoring and SIEM, effective patch management, and joint incident response plans are all key best practice steps. It’s particularly important to ensure that any personnel changes are immediately communicated to supply chain partners so that account profiles can be updated. Again, effective communication between HR, IT and security teams is the name of the game.
The best technology in the world won’t be any use if your employees, and those in supplier organisations, still get fooled by phishing attacks. Particularly in smaller firms, many individuals may struggle to see the bigger picture. They need to be taught how just one misplaced click could end up impacting tens of millions of innocent consumers. Vigilance and common sense should be their watchwords online.
One last thing to remember: supply chain security is not a magical destination that you will one day reach. It’s a journey that will continue to change and evolve over time, just as the nature of cyber-threats evolve. So let’s start that journey today.