Discover the channels of communication necessary to protect your organisation.
In today’s digitally connected world, organisations rely heavily on their supply chains to deliver mission-critical expertise and services. Supply chains need interconnectivity to function effectively. But interconnectivity creates risks that can leave an organisation’s network exposed to cyber attack.
Threat actors targeting supply chains is nothing new, of course. Large sophisticated attacks like SolarWinds and NotPetya inflict widespread damage and huge financial losses. Smaller opportunistic supply chain attacks may not grab the headlines in the same way, but they too cause serious harm - particularly to organisations that are ill-prepared to respond effectively.
In the past year, Solis has responded to numerous cyber attacks in which an organisation’s network has been compromised via remote appliances managed by a trusted third-party vendor in its supply chain. In the aftermath of such attacks, questions quickly arise over the responsibility for managing these appliances. Often this will focus on whether security patches should have been applied, and when.
This underlines the importance of ensuring that service level agreements with supply chain providers include clearly defined requirements and obligations, whilst complying with appropriate cyber security regulations and expectations. Agreements with third-party vendors will often have been in place for a number of years. Those agreements may have grown out of a close and trusted working relationships, but they could still fall short of the standards required to protect against today’s increasingly sophisticated cyber-attacks.
Another stumbling block in managing the risk of supply chain cyber-attacks is communication with third-party vendors during the initial phases of incident response. An organisation may be used to communicating with a third-party supplier through a particular point-of-contact. Their account manager, for example. But such individuals may not be best placed to communicate the kind of information that will prove vital to progressing the incident response in a timely manner. This can lead to costly delays and impair an organisation’s ability to respond effectively.
Organisations that rely on third-party providers to manage and maintain databases holding sensitive information are particularly vulnerable. Here at Solis, we have seen a growing number of threat actors targeting such databases. To mitigate the impact of such attacks, organisations need to be sure that supply chain providers are protecting their data in line with applicable regulatory requirements. This could include safeguarding data through encryption - at rest and in transit - meeting specific data retention requirements, and ensuring that there are appropriate access controls in place.
All too often, organisations pay insufficient attention to their supply chain when assessing cyber security risk. By taking the proactive steps outlined here, organisations can effectively protect themselves against supply chain cyber risk and ensure they are better placed to deal any attack that should get through their defences.
Key takeaways:
- Review service level agreements regularly from a cyber security perspective
- Perform cyber security risk assessments and audit supply chain providers
- Establish appropriate communication channels with supply chain providers and detail these within incident response plans
- Consider involving key supply chain providers in incident response exercises
- Ensure supply chain providers meet all applicable regulatory requirements relevant to your organisation