Unfortunately, supply chain attacks were one of the top three areas of cyber attack to increase in the last six months, behind phishing, malware and those of operational technology. Cyber-security attacks on supply chains have increased by 51% in the past six months, according to the NCC Group’s research. Having surveyed approximately 1,400 cyber-security decision-makers at large companies in 11 countries including the UK, US, China, Germany and Singapore, we also found some other concerning results.
For instance, only 32% were “very confident” that they could respond quickly and effectively to a supply chain attack. And just 24% named third-party and supplier risk as a major cyber-security challenge for the next six to 12 months.
Many plan to invest in new third-party software, hardware and Software as a Service (SaaS) security products in 2022, which could further complicate their supply chains and increase vulnerability. So how can they reap the benefits of third-party supply chain tools, while mitigating the risks?
Five actions to prevent, detect and respond to supply chain attacks:
1. Awareness
Be aware of your critical assets, the suppliers that support them and the risks to the business if they were compromised. This allows you to better understand your supply chain risks by understanding the services and products that your suppliers provide you with, as well as the access they have to your environment and data assets.
2. Assurance
Having selected a supplier, first do some technical due diligence to ensure that they are committed to delivering a secure service and then build in assurance measures to any request for information (RFI) or request for proposal (RFP). And remember that this is not a one-off – you need to maintain adequate levels of assurance. This means that your suppliers support your policy, processes and controls. You can adopt different approaches to assessments that match the risk profile of suppliers, such as tailored security control questionnaires supported by evidence gathering and certification. If you don’t have the resources to manage such a programme, then use an effective third party to monitor and assess the suppliers for you.
3. Isolation and segmentation
Only give the suppliers as much access as they need; and challenge why they need as much as they will initially claim. Adopting the principle of ‘least privilege’ access controls may reduce the damage that a compromise of their systems will cause to yours. Segment your network, with internal firewalls or other measures thereby limiting the damage an intruder can cause.
4. Detection
Having a Security Operations Centre (SOC) to constantly monitor your networks and systems, including the suppliers’ performance and adherence to contractual obligations, is key to maintaining your resilience. For ongoing detection, test your and your suppliers’ software applications and network using pen testing and vulnerability scanning, regularly. And apply integrity checks on new, updated or patched software to detect any changes to software code that could indicate a malicious attack.
5. Respond
Integrate supplier management into your response and communication plans following an incident. Ensure that the contracts stipulate that third parties report their cyber-based incidents so that you are quickly aware of any potential impacts on your systems. And test their reporting and support with tabletop exercises. Ensure these resiliency plans are fit for purpose and regularly tested with Software Escrow Verification, which will see their software safely lodged in Escrow, with a third party, should they fail to deliver according to the contracts.
Bringing a cyber-security focus to the software and services supplied by third parties is an ongoing process that requires commitment well beyond the initial selection of a suitable partner. However, the effort will enable you to rest assured that the critical third parties you rely on are working to ensure the security of your own network and systems.
For more information about supply chain fraud visit the NCC Group
This article was written in collaboration with NCC Group Software Resilience, the world's largest Software Escrow provider. Visit their insight blog for actionable resources and helpful information.
