David Smith, Senior Security Consultant at Evalian, discusses the key considerations for improving supply chain security and ultimately reducing the risk of a supply chain attack impacting your company.
Supply chain attacks have become a mainstay in the headlines, with high-profile security incidents like the Kaseya and SolarWinds breaches impacting thousands of organisations worldwide.
A supply chain attack occurs when digital services or technologies of a vendor are compromised, allowing a criminal to move into the networks and systems of customers. Just like physical supply chains, companies rely on various digital partners to provide services and products.
Digital supply chains can be disrupted or compromised in many ways. The most damaging and sophisticated attacks allow an attacker to linger in a network unnoticed, often for a long time. Commonly called ‘backdoors’.
In the case of SolarWinds, criminals were able to modify SolarWinds’ product, Orion, with malicious code that was subsequently distributed via software updates. This code was thought to have been inserted in mid-2019 but was not publicly reported until December 2020. Orion, (ironically) intended to protect an organisation’s networks, became a gateway for attackers to access the systems of many large enterprises and key US Government departments.
While such attacks are complex, they’re also quite common. The European Union Agency for Cybersecurity suggests 66% of supply chain attacks target the product code of suppliers. The return on investment for attackers, compromising one organisation then getting access to many others, makes software vendors an enticing target.
Despite this, many organisations fail to prioritise supply chain security. A DCMS 2021 survey found that most UK organisations have not reviewed risks posed by their suppliers and broader supply chain.
While you cannot control whether suppliers suffer data breaches, you can reduce the risk of a supply chain attack impacting your company. Here are four ways to improve supply chain security and avoid backdoor attacks.
Understand your supply chain and critical suppliers: A robust security strategy is dependent on visibility. Ensure your company understands who your suppliers are and what data they can access. Then identify which of these provide you with essential services or, if services went down, would cause severe disruption to your own operations: these are your critical suppliers.
Ideally, you’ll extend this to your suppliers’ suppliers. This will give a detailed view of your extended supply chain, enabling better security management.
Manage your risks via a supply chain risk management programme (SCRMP): Establish a formal process for procuring and managing digital suppliers. Companies have been assessing and onboarding physical suppliers for years. Many commercial teams already conduct supplier assessments. Is a separate process necessary for software, or can existing processes be modified?
When onboarding new suppliers, organisations should consider security as a foundational requirement, building it into their procurement processes and contracts. Security is a competitive differentiator to be considered among factors like cost. It may be tempting to go with the cheapest supplier based purely on price, but could you later be paying that difference, or more, out of lost revenue and service disruption?
Your SCRMP should review and address threats specific to your organisation and supplier relationships. Are there concerns about your customers’ data? Could a loss of service from your supplier stop you from supplying your customers? Expecting a supplier to be perfect in all areas of security is unrealistic, ensure you know the potential risks most relevant to you.
Be fair, open and honest with suppliers: Everyone uses suppliers and everyone supplies someone else. We hope that those we supply to are reasonable with their expectations; it is worth keeping this in mind when setting expectations of your suppliers.
Organisations have many options to assure their suppliers, such as the right to audit within contracts, or a requirement for security standards, for example Cyber Essentials or ISO27001.
However, the type of requirements should fit the services provided. For example, requiring an office accessories company to achieve Cyber Essentials is probably unnecessary: they cannot access much of your data. In contrast, a HR platform will need to meet higher security standards.
Clarifying what you expect of suppliers and explaining that you will regularly review them as part of your SCRMP, helps create a more open relationship. They are more likely to feel comfortable telling you of internal security improvements and programmes.
Remember that security is a cost. Excessive security requirements and arduous assurance processes are an expense to your supplier. Even if this is not immediately obvious, ultimately the cost will fall back to customers through raised prices, or reduced service elsewhere.
Protect yourself through design and standards: No supplier intends to introduce weaknesses into their customers’ networks – it’s not a great business model. Despite best intentions, supply chain attacks will still occur.
We can, however, reduce the damage of these attacks by reviewing the access given to suppliers. Historically, suppliers have been granted excessive access into customers’ networks, only to realise this mistake once the worst has happened.
Carefully identifying what access a supplier or product requires and implementing ways of monitoring for unusual or malicious-looking behaviour, may not stop a supply chain attack totally, but it could prevent a bad day from turning into a terrible week.
Ultimately, by improving your organisation’s approach to supply chain security, you can reduce your exposure to an attack. A solid supply chain security strategy can improve your brand’s reputation. When a company assures customers that their supply chain is well-managed, it boosts confidence and builds better relationships.