How to assess the cybersecurity practices of third-party suppliers
Our digital and physical world are built on supply chains, which, because of their increasing complexity, are prone to exploitation by threat actors.
According to NTT Security Holdings’ 2022 Global Threat Intelligence Report, supply chain attacks will continue to rise as cybercriminals replicate behaviours, purchase tradecraft, and learn from each other. In this blog post, we'll explain how you can reduce the risk and impact of attacks targeting your supply chain, by implementing effective risk management and governance procedures, including to assess the security practices of third-party suppliers.
An expanding attack surface
Supply chains have transformed how organisations operate and do business over the past decade. While these advancements in supply chains have brought undeniable benefits, they have also introduced new challenges and security risks. The interconnected nature of relationships with suppliers means that a single weak link can have far-reaching consequences. The shift to using external services, suppliers, and cloud platforms has significantly broadened organisations’ attack surface.
This attack surface is not entirely new: in 2013, the Target data breach was the result of attackers gaining access to Target’s system by stealing credentials from an HVAC and refrigeration company – Fazio Mechanical Services. The third-party supplier was as a refrigeration contractor for supermarkets and had remote access to Target’s network for electronic billing, contract submission, and project management purposes. During the breach, cybercriminals were able to steal 40 million credit and debit records and 70 million customer records.
It's common for global brands to have thousands of suppliers. The complexity of supply chains often creates a lack of visibility over this new attack surface which, combined with the sophistication of attacker tradecraft, increases the challenge of detecting and preventing supply chain attacks. As part of a layered, defence-in-depth approach to mitigating the risks of a cyberattack stemming from their supply chain, organisations should assess the cyber security practices of all current and third-party suppliers.
Relationships with suppliers are not uniform
Supply chains are complex, and understanding the variety of relationships with third-party suppliers is crucial to identifying your attack surface and establishing adequate risk management processes. A cyberattack compromising a single aspect of the supply chain will have effects upon multiple organisations. In some cases, the knock-on effects of a compromise are merely incidental; in others, compromising one organisation will allow the threat actor to conduct a further, deliberate attack on that company’s customers.
To categorise suppliers, consider a few key areas, such as:
- How much data they store and process about your organisation.
- The nature and value of that data to your organisation i.e., is it useful to a cyber-attacker?
- Whether that data is subject to further regulation and legislation i.e., personally identifiable information (PII), payment card information (PCI) etc.
- Whether that supplier is critical to the day-to-day functioning of your organisation.
Using this schema, it is possible to categorise suppliers based on their criticality and their risk to data security. The examples below are not an exhaustive list.
| 1. Open source/no relationship | 2. Third-party software storing little PCI, PII or business-critical data | 3. Third-party software storing regulated and/or business-critical data | 4. Fully outsourced/supplier critical to business function |
|---|---|---|---|
| At the lowest end of the spectrum, organisations can be exposed themselves to risks from external code which has no proprietary owner, such as the Log4j vulnerability. In such cases, because the code is open-source, the supplier is unlikely to share any responsibility for its vulnerability, and organisations must rely on thorough patch management programmes. | All third-party software will store (at a minimum) the personal information of the buyer within your organisation and the payment card information used to purchase it. Depending on the purpose of the service/technology and your objectives, it will store data that you may or may not consider business-critical. For example, a project management tool used by the marketing team, will have less impact on your organisation if compromised than the payroll software used by your finance team. | A high priority should be placed on third-party software that stores personally identifiable information (PII), payment card information (PCI) or data critical to business functioning. This might include payroll software, software for processing customer payments, or enterprise-level management software such as SAP. | The most critical category is when your organisation outsources a large portion of one particular function to a third-party supplier. This category should include any third-party supplier that will disrupt business continuity if they are compromised or if their service is interrupted. |
Organisations will wish to devise their own schema for categorising supplier relationships, as part of security risk assessments.
Align supply chain risk management with organisational objectives
Your supply chain risk management programme should support your business objectives. For example, if an organisation aims to increase revenue by releasing a new product line, any suppliers critical to the development and release of that product should be considered a higher priority when assessing their security practices. If one or more suppliers are affected by a cyberattack, delays in production may derail the new product launch. By establishing a risk mitigation strategy that identifies alternative suppliers, expedited delivery options, and production testing, senior leadership can make informed decisions that minimise the likelihood of those risks.
Determine supplier criticality
Evaluating suppliers based on how critical they are to achieving organisation objectives will equip senior leadership to develop clear risk management policies for these suppliers that consider possible impacts on the entire organisation. To do this you can develop criteria for supplier criticality based on, for example, the sensitivity of data processed or possessed by suppliers, the degree of access to your organisation’s systems, and the importance of the products or services to your organisation’s business continuity and its strategic objectives.
Conduct due diligence to determine risk levels
It is essential to perform thorough due diligence on prospective suppliers, commensurate with the level of risk, criticality, and the complexity of each supplier relationship. This entails conducting supplier risk assessments to evaluate the authenticity, integrity, and security of critical products prior to acquisition and use.
How to vet suppliers cyber security practices
As a first port of call, you should:
Review all suppliers’ policies for:
- Information Security
- IT Security
- Physical Security
- Personnel Security
- Business Continuity
Send prospective suppliers a questionnaire to assess their security practices.
In your questionnaire, you may wish to consider areas such as:
- Confidential information handling requirements
- Policies, procedures and compliance requirements
- Information protection and compliance requirements
- Personnel security requirements
- Physical security requirements
- System management requirements
- Logical access security requirements
- Operational and application security requirements
- Network security requirements
- Business continuity and disaster recovery requirements
- Managing third parties
The list above is not exhaustive, and should be tailored to suit the requirements of your organisation. Download our example information security questionnaire for suppliers with example questions that you can use to assess new and existing suppliers’ security practices.
The results of the questionnaire will produce a risk score. After a risk score has been determined, it should be evaluated against the criticality of that supplier. The most critical suppliers should be subject to the most stringent risk controls.
After the vetting process
You should establish periodic reviews of your suppliers, so that their security practices are monitored throughout the lifecycle of that particular product or service. The long-term goal of such reviews is to ensure your suppliers continue to meet their security commitments. How frequently you review suppliers should be determined by their criticality and your level of resources. Once every six months is normal for the most critical suppliers. However, an ad hoc audit is advisable in the wake of major advancements in attacker tradecraft, or significant changes in your supplier’s organisation.
One key question is “what should I do if a vendor is critical, but I am not happy with their security practices?” It is up to every organisation to determine whether they wish to terminate their relationship with that supplier, or accept the risks that supplier presents and try to protect themselves with technical controls. However, once a supplier is onboarded, the interconnected nature of your relationship means that they present an inherent risk. At this point, an organisation’s best hope is to build technical controls as part of a layered defence-in-depth approach. To do this, you can:
- Bolster your detection and response capabilities with Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) services. This will enable you to stop cyberattacks in their tracks.
- Use technical controls to prevent an attacker moving laterally and gaining more privileged access. Some examples include using network segmentation, deploying a zero-trust model, or deploying Privileged Access Management (PAM) with just-in-time access to critical resources.
- Ensure you have a rigorous patch management programme.
- Develop an incident response procedure in the event of a cyberattack. All thorough incident response plans should contain a playbook with clear procedures and guidelines in the event of a supply chain attack. This playbook should define clear roles, responsibilities, and communication channels to coordinate an effective response. The plan should include steps to isolate affected components, contain the impact, and gather evidence for further investigation. Consider a retainer for a specialist Incident Response provider. Practice your playbook with by running tabletop exercises based on a variety of scenarios in which a supply chain attack occur.
Download our example information security questionnaire for suppliers. For more information on Security Risk Assessments, Endpoint Detection and Response, Managed Detection and Response, or incident response services, get in touch for a consultation below.
Don't get caught in the cross fire - anatomy of a supply chain attack, first aired: October 12th, 2023.
