UPCOMING WEBINAR “The Platform Paradigm” on March 6

Security adoption is shifting as nonintegrated products aren’t providing expected security outcomes. Join Fortra experts as we share our vision of a stronger, simpler future for cybersecurity — one that finds the right balance between security outcomes and operational efficiency — powered by a cloud-native, multi-vector cyber defense platform.
 

 

Mitigating Supply Chain Risk – A CISOs Challenge

With greater reliance on third party software supply chains comes the heightened risk of security issues manifesting outside of your initial oversight and control.

To paraphrase a saying: if you’re a supplier and you think nobody cares whether you’re active, try getting hacked. (Our advice, incidentally, is to do the exact opposite).

In the last few years, awareness of the risks around supply chain security has gone from … well, a lack of awareness to shouting it from the rooftops. Unfortunately for CISOs and their teams, this has been entirely because there have been so many supplier-led cyber-disasters in recent times that have made front page news.

The main problem with the supply chain is that it’s like the iceberg of cybersecurity: you can’t see most of it. Your direct suppliers – the ones you actually buy stuff from – at least have the benefit that you know them, can ask them questions and can request evidence of their cyber arrangements. You probably have a proper contract with most of them, containing some governance controls around their attitude and approach to cybersecurity. But for every direct supplier there’s no shortage of indirect ones – your suppliers’ suppliers, their suppliers, and so on through who knows how many layers. There’s not a great deal of stats out there regarding just how many upstream suppliers one might rely on, but one source argues that half of organisations have indirect relationships with 200 or more fourth-party suppliers who’ve had a breach.

If you thought it was bad, it could be even worse. In reality, you don’t really have any control over your suppliers. The contract might just about be worth the paper it’s written on , but hey, paper’s only $10 a ream so maybe that’s not enough. What matters with a contract is what happens when something goes wrong.

Supplier contracts have penalty clauses (generally regarding service credits in the event of a failure to deliver), criteria for early termination and the like. Yet service credits seldom provide recompense for the inconvenience or potential loss of business – and for all but the smallest suppliers, exiting the relationship can be onerous and to do so means finding an alternative supplier (presumably the supplier you were working with was the best choice at the time, so replacing them might be a step down in quality or suitability).

Mitigating The Risk

So, suppliers are a cyber risk which you can’t really mitigate very much. But that’s enough doom and gloom. We have painted a very dark picture of supply chain risk – not least because there’s a lot of it. So how can we deal with it?

First, do the simple thing: regardless of all the downsides to the “what if something goes wrong” contract clauses, you absolutely need them. Never, ever be nice about them: push for everything you can, because these things exist in case you need them one day. But be realistic – the larger the supplier, the less flexibility there’s going to be in the contract.

The main thing to do, though, is to look at the risks in two basic categories. Firstly, the cyber risk a supplier presents to your own organisation – that is, the likelihood of you suffering a cyber attack as a result of action (or inaction) by the supplier and/or their upstream suppliers. This particularly means suppliers that have some kind of access to your systems (support staff with remote access to fix issues, for example, or VPNs for data interchange) and who can cause you cyber grief.

Not Just a Cyber Risk Impacts Cyber

Arguably much more important, is to consider the non-cyber risk: that is, how else can a supplier or their upstream counterparts damage or destroy our business? Had Atlanta airport, for example, considered the risk of the shutdown of the Colonial fuel pipeline, which provided about 70% of its aviation fuel? Of course they had – the upshot was not headlines screaming “Flights cancelled through fuel supply hack” but instead “Backup jet fuel supplies keep planes flying”.

In this latter case, look as far upstream as you can. If your organisation is big enough to have the clout, work with them to understand their suppliers’ threats: if they’re any good they should already have looked into this stuff for themselves anyway, and if they haven’t then question whether you should be dealing with them. Work hard on what would happen to your business if the supplier was down for 24, 48 or 72 hours – and if it were to collapse completely. And if you’re too small for the supplier to engage meaningfully: guess (or, less flippantly: deduce). You should be able to figure out supplier risk at least at a high level, and particularly with local suppliers, you should be able to figure out their suppliers for key items or services that form their risk profile.

Finally, bear in mind that there are companies out there that will do a lot of your supplier stuff for you: monitor dark web sources for data that seems to have been stolen from them; monitor news feeds for stories of suppliers getting hacked; watch their public-facing systems for downtime. Because if you can’t do all the research and monitoring yourself, why not get someone else to do it for you?