In February, Julia Lopez, Minister of State for Media, Data and Digital Infrastructure, issued a call for views from industry leaders to better understand how to address software risks and help create a more resilient digital environment. She encouraged organisations to take part in this consultation by sharing their expertise and resources to address the cyber risks posed by software, as well as ‘where the responsibilities should lie’.
Recent incidents such as the 2020 SolarWinds attack and the exposure of the Log4j vulnerability have demonstrated the impact that insecure or unprotected software can have on businesses, including organisations that are several steps downstream from the original target. The interlinked nature of modern business means that any organisation can be vulnerable, and the supply chain is now a part of every company’s attack surface. Enhancing supply chain resilience is an important factor in maintaining company-wide cyber resilience and preventing unnecessary harm to British businesses.
Restoring confidence
While digitisation brings undeniable business benefits, the more digital solutions you add to your ecosystem, the more potential gateways you open to attackers. And as supply chains become more connected, this further opens the door for ransomware, process disruptions and other security breaches. The question of supply chain attacks is a matter of when, not if. According to a recent study conducted by Gartner, 84 per cent of respondents stated that third-party risk ‘misses’ led to disruptions in business operations. Threat actors seek profit and reward, resulting in supply chains becoming a common target for double extortion ransomware as it presents an opportunity to double profits by disrupting more than one organisation. They are looking to access core data inside their targets’ systems and networks, ultimately to find a loophole that grants them access into other suppliers’ networks and systems – which can have catastrophic cascading effects. As third-party exposure increases and cyber threats continue to become more sophisticated, managing third-party risks effectively is imperative.
Best practices – selecting and vetting suppliers
Enterprises are now starting to realise that they need to not only optimise their own security measures but invest more in supply chain auditing as well. Businesses must be able to trust that what their suppliers provide them will both operate to specifications and not create new vulnerabilities in their environment. As a result, cybersecurity due diligence is becoming a critical component of the vendor and supplier selection process.
Best practices for vetting both new and existing suppliers include having an understanding of their reputation in the market and identifying what practices they carry out with their own supply chain. Companies should maintain a standardised information gathering (SIG) questionnaire that they include in their contracts with third-party suppliers – and it is critical for companies to hold their suppliers contractually accountable to maintain security standards at least as stringent as those that the company itself adheres to. Ideally, suppliers’ contractually obligated security requirements should include granting the company audit rights to inspect their controls periodically.
Companies must also assess the potential impact (based on degree of integration, type of access shared, potential to quickly find alternative suppliers, etc.) in the event that one supplier becomes untrustworthy and establish a backup plan for critical suppliers with no alternatives.
Looking towards the future – taking responsibility
In addition to investing more in supply chain auditing, enterprise leaders need to implement a proactive, ‘always on’ approach to cybersecurity that is attuned to changing threats. As systems evolve, are upgraded and become more interconnected, the attack surface also changes and expands. No single product or service can respond to every existing or potential threat, so organisations rely on a patchwork of security systems supplied by various vendors, each with its own standards of security and service. Enterprises need to take care to understand the evolving attack surface and how all these tools and services combine to provide the necessary coverage.
As part of this process, IT professionals should lean on their trusted partners. Such an exercise helps ensure that enterprises remain well informed about new developments and the security features available to address evolving needs and emerging threats.
But even with the appropriate security-related terms in the contract, enterprises cannot and should not rely solely on their partners to identify all risks and vulnerabilities. Organisations are still responsible for vetting the solutions they use. Best current practice consists of every business actively performing vulnerability scanning on all systems and subsystems, testing incident response processes, and employing third-party penetration companies to validate their defences and minimise unnecessary risk.
Partners are key to overcoming some of the more complex business challenges, so organisations need to accept the reality of closer integration and work with their partners to establish strong security measures. Cyberattacks are rarely isolated, and success on one front will only spur assaults on many more. In today’s global connected environment, maintaining security requires that all organisations be committed to remaining vigilant and taking an active role in the security ecosystem.