Supply chain cyber risk is a mounting issue for organisations across the globe. In the wake of high-profile supply chain breaches, organisations are waking up to the risks associated with third parties. Worldwide disruptions associated with the pandemic have only highlighted the importance of supply chain risk management even further. Despite these warning signs, many Australian organisations don’t fully understand how third parties can increase cyber risk.
The supply chain is rarely a simple, single chain. With every vendor having vendors of their own, a security breach could truly come from any direction. Without visibility into their supply chains, companies cannot properly assess, let alone manage, associated risks. And, because many organisations still use legacy supply chain risk management approaches, they are unable to scale them to handle the increased volume of supply chain relationships.
Given the complexity of today’s supply chain landscape and the numerous challenges organisations face in becoming resilient, knowing where to begin improving supply chain security may be difficult. These four best practices for supply chain cyber risk management can help organisations make meaningful progress toward this goal.
1. Understanding the ecosystem
Before rolling out a supply chain security program of any type, it’s essential to know the parties that make up the supply chain. There are three critical aspects for each supplier: the sensitivity and volume of data they hold, the network access and user credentials (particularly privileged credentials) they have, and their criticality to business operations.
When assessing these aspects, it’s important to ensure that the organisation is enforcing the concept of least privilege. This means that vendors only have the access they need to effectively do their job, and the vendor’s software is doing only what it is supposed to do, with minimal access rights.
2. Bring your suppliers into the security program
Suppliers are ultimately part of an organisation’s overall security posture, and, as such, it’s important to include them in security conversations and processes. There are a few steps that can help strategic partners operate within an organisation’s security program:
- Provide plug-in processes, such as for incident response or incident notification, that interconnect with the organisation’s own.
- Invite them to participate in tabletop exercises and scenario security planning.
- Consider what data the organisation can get from partners to ingest into its security monitoring platform.
- Bring partners into the scope of a red team engagement targeting the organisation.
3. Adopt and prioritise threat detection and response capabilities
Following the attack on Ukraine, there is a heightened cyberthreat environment globally, and the risk of cyberattacks on Australian networks, either directly or inadvertently, has increased. Effective monitoring and detection technology, along with proactive threat hunting, will pick up any tampering and identify behavioural anomalies and hidden breaches.
4. Supply chain risk management goes both ways
Historically, organisations haven’t invested in systems that make life easier for their suppliers. However, providing the tools to simplify the process can make supply chain risk evaluations run smoother. A buyer can review these resources, assess the supplier’s security state, and determine how the supplier’s security program can connect into their own.
Supply chain risk management has never been more urgent or challenging; however, the good news is that there are effective tools and best practices to streamline the process. Risk can never be fully eliminated, but it can be managed. Taking control of an organisation’s cybersecurity posture and processes can jumpstart its supply chain ecosystem protection and help manage the risks associated with today’s increasingly complex and multilayered environments.