As the UK’s National Cyber Security Centre warns in its The cyber threat to UK business 2017-2018 report:
“Supply chain compromises of managed service providers and legitimate software…provided cyber adversaries with a potential stepping stone into the networks of thousands of clients, capitalising on the gateways provided by privileged accesses and client/supplier relationships. It is clear that even if an organisation has excellent cyber security, there can be no guarantee that the same standards are applied by contractors and third party suppliers in the supply chain. Attackers will target the most vulnerable part of a supply chain to reach their intended victim.”
“Supply chain compromises typically seek to introduce security flaws or other exploitable features into equipment, hardware, software, or services, prior to their supply to the target (or make use of a compromised supplier organisation’s connections to the target). Operations or activities are usually designed to breach confidentiality and integrity, but they may also be designed to affect availability (such as supplying defective equipment). Ongoing servicing, support or updates to equipment, hardware or software may also provide opportunities for threat actors to interfere with the supply chain…When done well, supply chain compromises are extremely difficult (and sometimes impossible) to detect.”
No matter how strong the information security structure of your business may be, you are only as strong as your weakest link, and often adversaries are aware that businesses fail to adequately assess the information security practices of their suppliers. The first step in efficiently prioritising your resources in this area is to know precisely who your key suppliers are and to maintain a consistent methodology to address this issue. You should also have in place criteria by which different types of information are classified based on sensitivity. The volume of data that the supplier has access to can also be a key part of the assessment criteria. In this way, we can place a higher level of scrutiny on critical suppliers that have access to sensitive business data. In some cases we may find that the supplier has no need to access certain data sets and so we can take adequate measures to limit access to only that which is necessary.
Finding suppliers that touch little to no company data of any kind is often rare in the digital age, so many suppliers should be undergoing review by qualified and experienced information security professionals. The first step in engaging with suppliers on an information security review will often be a questionnaire, and these questions should be based on formalised information security standards. Ideally, critical suppliers should also be undergoing on-site reviews to verify results of a question-based survey.
Once a formal supplier security process is in place and integrated into the procurement process, with criticality and risk ratings generated, a business can ensure that adequate measures are being taken to minimise the attack surface through a third-party vector. There are numerous benefits to having such a process in place, including a significant reduction in business risks such as damage to assets and reputation, and major fines. All of these can result in big financial losses. By having a formal review process, you also provide assurance to your suppliers that you have strong information security measures in place and that any shortcomings on their part may result in them losing your business. This therefore leads to an amplifier effect where your information security and that of your suppliers are increased in concert.
Ultimately, an adversary is looking for and needs only one small point of entry to carry out a costly attack on your organisation. As past events have shown, if organisations fail to carry out adequate information security reviews of their suppliers, it becomes only a matter of time until your company’s name may end up in the news – for all the wrong reasons.