Cyber threats and the supply chain: back to basics
To the cyber risks known to all companies are added those related to the supply chain, or third-party risk
The longer the supply chain, the greater the risk surface. Coupled with the extension of telework and the multiplication of connections, the task of the CISO becomes difficult. There are many answers, but in the face of complexity, it is essential to apply basic security measures.
Fifteen years ago, it was “simple” for a CISO or DSI to detect an anomaly on his network, and also quite simple to protect himself from attacks. Most of these attacks were carried out by humans and not by computer networks through entry points from various hardware and software. Another major change is the supply chain. Where a small or medium-sized company used only a few components to manufacture its product, today the components come from several hundred companies around the world. The example of the mobile phone speaks for itself: the components and the assembly are still manufactured abroad. This implies that a company must by default trust those who manufacture and assemble these components. It can be a risky bet.
Indeed, attackers know that the supply chain is a weak link and that risk assessment is often underestimated by organizations or states. This flaw is exploited by the attackers to achieve their goals. Just think of the “backdoors” almost institutionalized by some States, and which are even present in “secure” equipment.
Risk assessment and prevention: an absolute necessity for CISOs
Faced with this situation, the assessment of risks for the supply chain has become a critical issue (whatever the acronym used to designate this policy, C-SCRM, TPCRM or VRM…). Let’s just take the example of a computer or a telephone or any other electronic object: who controls, evaluates the third parties in the supply chain? Who is able to check among the thousands of containers of each port “hub” that the equipment is compliant and intact? You have to trust each actor in the chain. Again, it’s a risky bet. But how can we protect ourselves, at least?
How to manage third-party risk: back to basics
Dealing with supply chain risks requires monitoring over a wide scope, involving both the legal department to comply with anti-corruption regulations, sectoral regulations and international standards (ISO 37001 for example); the Purchasing and Supply Department and cross-functional functions (IT, etc.) and of course the RSSI. From Tier 1 to Tier 4, how do you analyze and protect against risks?
1. Assess supplier reputation and product risk
It is important to decouple the supplier’s reputation from the product itself. For example, a start-up may have a bad reputation because it has little experience in the industry, but its product may be risk-free. Auditing firms can assess vendor compliance with standards such as ISO 27001 (and GDPR, PCI, FCRA, SOX, HIPAA, etc., where applicable) and perform Type I or Type II or other assessments SOC 2. But these reviews are mostly about the company, not the product. When working with newly created companies, make sure you can view company product controls. Independent code reviews and application vulnerability reports are also very useful, as they assess both the software code and its in-place penetrability.
2. Carry out a complete but personalized supplier questionnaire
Many organizations have standard supplier questionnaires. But these questionnaires must evaluate the use of the product in the target environment. For example, a cloud provider’s questionnaire should be different from that of a software company intended to be deployed internally. Be sure to ask yourself about your internal security policies: are they useful in assessing the risk position of the supplier and its product? To properly assess the vendor, the questionnaire must be tailored to the type of product you are assessing and the capabilities it will provide.
3. Deploy a periodic evaluation and review program.
Integrating third-party assets is not a “one-time-only” process. Even if a product has worked perfectly for the past ten years, you should schedule a regular review process. If you don’t, you put the business at risk as new vulnerabilities emerge. Assess the security of third-party products at least once a year. This review process involves ensuring that patches and updates are fully planned and applied consistently. This involves a robust testing and implementation process. If you need 6 months to deploy a critical patch, in other words, it’s useless.
4. Change management
Change management is intrinsically linked to the supply chain and therefore essential to deal with any third party risk. The supply chain introduces new components into the organization, components which must be evaluated by each stakeholder. Indeed, on the one hand, it is necessary to obtain their support and on the other hand to make them responsible for the evaluation of new products, components or services with regard to their scope. Each stakeholder carries out a risk assessment based on the proposal submitted to it. A good change management process, with periodic review, is essential for making decisions that reduce third-party risk.
5. Consider external and internal environmental risks
Besides the product, many intangible risks can impact the supply chain, such as human and geopolitical factors. For the former, for example, it is difficult to trust a supplier with a high turnover of top managers. The stability of the makers is a guarantee of product quality. On a geopolitical level, country risk must be carefully monitored. For example, in times of interstate conflict, a software company based in a war-torn country may have its security rating lowered by other nations due to the pressures of the conflict.
About the Author
Dan Bowdrey is Sales Director, UK and Ireland at www.semperis.com. Dan brings over 25 years of experience within the IBM and Microsoft messaging and directory services space to his role as Director of Sales, UKI. His previous roles have included managing some of the world’s most diverse and complex infrastructure environments across a range of industry sectors. More recently specializing in directory synchronization and Active Directory cloud migration services. Dan advises on best practices and protection in highly complex cross-cloud and hybrid environments.
Featured Image: ©Enanauchit