Date
01 Mar 2023Category
Technology RiskSupply chain security has significantly increased in the past few years. This has resulted from the migration to and adoption of cloud-based solutions for the provision of technology services.
Whilst there is no doubt that there are many technical and operational benefits from using third parties to provide technology, organisations can often be susceptible to cybersecurity risks if they are not fully understood and addressed.
The SolarWinds incident in 2020 illustrates how using third parties for technology services exposes organisations to cybersecurity risk. The SolarWinds solution is used by a large number of companies across the globe. In this case, attackers managed to insert malware into thousands of customer networks. This then allowed the attackers access to each compromised network, including those belonging to the U.S. Government.
Despite the cybersecurity risks introduced by supply chains, not all organisations have mature risk management processes in place. To reduce the risk of being victim to cyber-attacks, organisations should consider security in each stage of the supplier lifecycle: selection, contracting and onboarding, management and monitoring, and termination and exiting.
Managing supply chain security risk can seem a daunting task, but by taking some key actions organisations can reduce their overall risk.
Organisations should take a risk-based approach focusing initially at least on their most critical services and suppliers. Considerations should be given to what systems and information suppliers have access to, how important individual systems are operationally and the sensitivity of any data being processed.
A further way organisations can better manage risk is through robust supplier due diligence processes. By reviewing a supplier's cyber security arrangements as part of procurement, organisations will be able to more readily assess whether the supplier is able to meet their security requirements. Security specialists should be involved in the early stages of contracts to prevent suppliers from being selected who do not meet the organisation’s security risk policies.
When establishing contracts, security clauses should refer to security frameworks and standards. This will avoid the use of point-in-time security requirements and ensures contracts remain relevant to take account of a constantly changing threat landscape. It also reduces the risk of obsolete security requirements which can take a lot of time and effort to change. Contracts should also include the right to audit to allow organisations to gain assurance over supplier security arrangements.
The National Cyber Security Centre has produced, and updated as required sources of guidance that organisations should refer to when establishing security control over their suppliers.
If you have any questions about your cybersecurity or require assistance with managing any supply chain risks, please get in touch with a member of our specialist team or your usual Azets advisor.
