Managing increasingly complex and evolving cyber security risks across digital supply chains comes with the territory these days. No organisation is immune, and incidents like last year’s CrowdStrike outage show just how far the shockwaves from a mistake can reach.
Despite due diligence, a bug still slipped through into a software update – a very high profile reminder that procedures can break down even when endeavouring to adhere to best practices. This adds further weight to the seeming inevitability of a security lapse impacting your organisation, regardless of where it originated from.
In reality, it’s no longer a case of if a cyber incident will affect your supply chain, but how you will respond when it does.
A never-ending supply chain
Notwithstanding that supply chains are typically long and convoluted, to understand the full extent of their potential attack surface organisations must map all tiers, including indirect suppliers, agencies, contractors, and freelancers.
This means not only considering who your own organisation buys directly from, but also who your suppliers interact with and purchase from. While this may seem interminable, it enables you to conduct a more authoritative risk assessment, as well as determine degrees of mitigation.
Proportionality needs to be applied according to the type of supplier and the level of access they have to the corporate infrastructure. It’s a case of identifying the risk and assessing the scope of the potential damage that could result. This will avoid spending too much time on mitigating insignificant or low risks. But, generally speaking, it’s worth noting that too little effort is expended initially on understanding the true scale of the supplier ecosystem.
It’s therefore important to go beyond typical boundaries, investigating what data is given to suppliers and what it can teach an attacker about your business that could enable them to launch a more targeted and effective attack on you specifically. Look at common vulnerabilities in their systems that you may have disregarded. This includes weaknesses in third-party software or infrastructure that could compromise data or operations, inadequate risk mitigation measures across their own third parties, and outdated or vulnerable technology systems.
With this visibility, calibrate risk profiles accordingly and don’t hesitate to take remedial action. This might involve updating contracts with more robust security requirements or even changing suppliers.
Offensive cyber security
It may sound obvious, but organisations shouldn’t wait for a security breach to happen internally or to start somewhere along the line before improving prevention and remediation plans. Proactively test the resilience of systems to assess how an incident could cascade through your ecosystem.
Penetration testing on its own is not enough. Be on the offensive with red teaming (attack simulation) programs and bring in external specialists with fresh eyes to help identify weaknesses internal initiatives may have overlooked. Bear in mind that a multi-faceted approach to security will give better coverage – it should never be one dimensional.
And even with comprehensive security and attack simulation plans in place, it’s vital to test incident response and business continuity procedures.
How thorough is your testing?
Thorough testing your business continuity plans is vital to ensure you can rely on them to kick into action when an incident occurs.
Ask yourself fundamental questions. For example: is there a clean copy of the critical data I need to resume business operations? Is it appropriate to keep a full copy of the data, or should I redact certain information? How do my mitigation plans change, depending on what data is compromised? Different companies will necessarily come to different conclusions, but don’t wait for a security failure to see if the mitigations work. Test, and test again to uncover faults and deficiencies to ensure your organisation will be in a stronger position in the midst of a real event.
It isn’t possible to forecast exactly the way the dominos will fall during a security incident, but ensuring a comprehensive approach to business continuity testing is the best preparation. Anything resembling a tick box exercise is not sufficient and could give senior management a false sense of confidence.
Needless to say, managing supply chain risk is not a one-time effort – it’s an ongoing process that requires continuous vigilance, lateral thinking, and remedial action.
All-round resilience
To build more resilient supply chains organisations must go beyond traditional risk assessments and adopt offensive cyber security strategies.
By seeking out weaknesses and simulating attacks, organisations can bring to the surface risks often overlooked by conventional methods. Offensive cyber security enables a deeper understanding of supply chain vulnerabilities, particularly those posed by third-party vendors.
This strategic shift not only improves defences but also scrutinises the efficacy of disaster recovery plans, essential for reliable business continuity.
- Digital Supply Chain
- Risk & Resilience