6 tips for supply chain cyber risk management in 2022

Forrester recently predicted that in 2022, 60 per cent of security incidents will involve third parties. Here is a list of things to address to succeed at supply chain risk (SCR) management in the coming year.

1. Know who your suppliers are

Sounds simple, but many organisations we work with don’t know who all their suppliers are.

You can start with procurement and ask them for a list, but you’ll often have to scan IT suppliers in detail, as well as everything from financial providers to courier companies. Many procurement departments vet suppliers only on service or supply charge clip levels and small dollar value suppliers don’t reach the threshold. Maybe some of them should (like the printer of your annual corporate gifts who has your full customer list). One large organisation we worked with had over 12,000 suppliers! This organisation was probably unaware of the risk the volume of suppliers posed and used it as an opportunity to prune!

2. Triage the list

Working out which suppliers matter to your business and assessing the impact that any cyber incident that they experience might have on you is the next step. Many consultants stay with group vendors by criticality, but this can be harder than it seems. Does that vendor have access to company systems, classified data or PII? Assess their criticality – how it relates to your business and how an incident would cause problems for your board, management team or business operations – if you have to pull the plug on a vendor, does your business stop too?

3. Ask the right assessment questions and get evidence

Your assessment framework should cover a variety of cyber security standards and best practices, e.g. from the National Institute of Standards and Technology (NIST) or CIS Critical Security Controls (formerly SANS). Questions range everywhere from the supplier’s ability to encrypt data, use of MFA, password policies, patching program management, architecture and segmentation, cloud usage and many more. Your assessment questions must be balanced. Too little and you won’t know what’s really going on; too much and you’ll be lucky to get a response from your suppliers. Trustwave has 23 primary domains addressed in our assessment, which we think is about right. More importantly, you should be going further than assessment questionnaires. Ask for evidence – security policy, penetration test reports, certifications like ISO 27001 and SOC2 reports. Note: These reports can be faked; make sure you know what you’re looking at.

VIEW ALL

4. Interpret results with an eagle eye

The assessment is only as good as the tool, or the human analysis behind it. We recommend you know which parameters impact the risk rating for a vendor, and how that vulnerability may impact your business. For example, are SSL vulnerabilities in that vendor going to pose a risk to your business? Perhaps if they’re storing your client data on a public-facing system this will be a problem, and a high risk one. But if they’re providing flowers at your front desk, it probably won’t.

I’d be asking the person doing the interpretation of the results of questionnaires, “is this your core competency?” The skill level and time needed to interpret the variety of cyber security reports, certs, scans and rich text responses to questions requires a span of knowledge that most IT or audit generalists just don’t have, and AI-based security scans can’t process with accuracy. If you’re outsourcing this task, ask if this is an area they specialise in. You’re paying for their time, so they should be experts with speed at this task. They should also be providing you with actionable intelligence – recommendations on actions to address gaps with high-risk suppliers.

5. Use automated scanning tools with care

These have their place, albeit the licensing is often not without considerable cost, particularly if you haven’t done step two above and you’re scanning every vendor! Vendor scanning tools give the security profile as seen from outside the target vendor’s organisation – the public-facing systems, websites, servers, connection protocols, and publicly available data that add up to a score. This may be good enough for low-risk suppliers. However, it’s not enough for a future guess at whether a supplier is likely to pose problems for you in six months’ time. If the vendor is missing a patching program, then this is a risk that’s going to bite when a zero day is rolled out. Scans today won’t tell you that, whereas an assessment by an experienced analyst is predictive and will let you know the capability of each vendor to deal with events as these arise.

6. Threat detection should be part of your SCR strategy

In our opinion, no amount of risk assessment would protect you from a potential nation state attack, like the Solar Winds vulnerability posed. A threat detection and response service or capability will alert you to incidents and breaches in real time. At a minimum it will enable you to respond quickly when the worst happens, or at most, stop the threat before it reaches your critical systems.

Henry Ward is the principal security adviser, Pacific at Trustwave.