Supply Chain Cybersecurity – the importance of everyone

I’m always surprised – and a little disappointed – at how far we have to go before supply chain cybersecurity gets the respect and attention it deserves.

I sat down this week with a new client who wanted some help addressing several internal issues surrounding their IT systems. When I asked them about their relationship with the supplier – essentially, how was their supply chain cybersecurity? – their response was not only worrying but, unfortunately, quite typical. “Well, we’ve used them since we first started the business a couple of years ago, so we’ve kind of grown up together,” they responded.

As cybercriminals take note of our lackadaisical attitude towards one of our biggest attack vectors, the supply chain comes under ever-increasing attack. The only way to bat down malicious exploits and improve supply chain security is to get closer to our suppliers, ask the right questions, and do our due diligence. Only by looking at the supply chain differently and our part in it can we see around the corners what is going to protect the suppliers closest to us and our most critical assets.

Knowing Your Supply Chain

One of the key components of ISO27001 has always been that supplier relationships are considered and managed effectively. In the new Annex A, controls for ISO27002:2022 have also been expanded to incorporate new requirements. ISO27001:2022 therefore requires:

• Information security in supplier relationships
• Addressing information security within supplier agreements
• Managing information security in the ICT supply chain
• Monitoring, reviewing, and change management of supplier services

Recognizing that the cloud has now become a major supplier for many organizations, the standard now includes a new requirement for “Information Security for the use of Cloud Services” (A5.23). However, if the payment card standard, PCI DSS, is more of a concern for you, then you should know that the tenth requirement of the standard requires that you “Log and monitor all access to system components and cardholder data”. This means more than monitoring your own access to network resources and cardholder data. Government supply chain cybersecurity makes similar far-reaching demands, requiring contractors of the Defense Industrial Base (DIB) to be fully security-vetted before even making a bid.

I often ask to see the service agreements for organizations that hold a support contract with an IT provider because I want to understand the level of access that the organization has granted to that third party. For example, does the IT provider have complete and continuous access to their clients’ networks for support purposes? Or do they have to request access? In most situations, it makes perfect sense to allow the IT provider complete control of the network to support the client. However, this then exposes the client to additional risks from the possibility of issues affecting the supplier, which could spread into their systems. Supply chain cybersecurity, therefore, comes down to not only what you require of your contractors, but what they require of theirs.

This video shows how we can take the first steps and start to discover supply chain vulnerabilities within our vendor relationships.

Supply Chain Security: More Than an IT Problem

Before you think this is just an attack on IT suppliers, I want to be clear that whoever your critical suppliers are, you need to assess their security capabilities based on the risk to your organization. For obvious reasons, the IT Managed Service Provider (MSP) is often a primary focus. But who else do you rely on to run your business? What access to your data do they have, and can this pose a threat to your business or reputation?

Third-Party Liability: IT’s Getting Hot in Here!

Back in 2006, Dell Corporation, the world’s largest computer manufacturer at the time, had to recall millions of laptops due to fears that they could catch fire. It was considered the consumer electronic industry’s largest product recall, with over 4 million batteries identified as potential hazards. Since then, there have been countless stories of Dell laptops bursting into flames and causing fires. Whatever the cause, it is known that the batteries were supplied to Dell by a third-party manufacturer. This is a very tangible example of a supplier having a very real-world impact on their client’s reputation (Dell).

Cybersecurity Due Diligence

It’s always returning to the basics with information security, and supply chain cybersecurity is no different. Remember that the central tenet of the discipline is to ensure:

• Confidentiality of data
• Integrity of data
• Availability of data

Ask Suppliers

With this in mind, when was the last time you completed a review of your suppliers against these three principles? When you allow a supplier into your business, you trust that they are a safe and secure business. But how do you know? Have you performed thorough due diligence? This is important regardless of whether you are hiring a cleaning company or looking for a supplier of goods or services, including outsourced IT and cybersecurity. Additionally,

• Have you asked them what screening processes they have for their staff?
• How do they monitor performance?
• What do they do in relation to security?
•  How do they guard your data?
• Who has access to your data?
• Who is your point of contact?
• What are the Service Level Agreements for any issues?
• How do they handle data breaches?

Ask Data Centers and Cybersecurity Companies

These are all sensible questions to ask of any supplier. But, in addition, for your data centers and cybersecurity companies, you must ask more searching questions. Here are questions you should ask of your data center hosting company today:

1. What Information Certificates do they hold?       
   • Are they UKAS certified to ISO27001? If so, what is the scope?
   • Are they fully certified to the 12 requirements of PCI-DSS?
   • Are they certified to ISO9001? 45001? 20000?
2. What other relevant certificates do they hold? (if you deal with the USA, SOC may be needed).
3. When was the last Penetration Test, and were all findings remediated?
4. Have there been any data breaches in the last 12 months?

These are your initial questions, enough to get you started. Even if you use one of the large commercial services, their certificates of compliance can easily be obtained through a simple search or by speaking to your account representative.

Supply Chains: No Such Thing as 100% Secure

Supply chain security also factors into some of the privacy regulations as well. For example, the California Consumer Privacy Protection Act (CCPA) and GDPR require third-party security. GDPR states this in Article 24:

“Where processing is to be carried out on behalf of a controller, the controller shall use only processors (suppliers) providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

If you rely on suppliers to support your business, you need to know they are going to be there when you need them most and that they are protecting your environment to the highest level possible.

Information security professionals often say that there is no such thing as a 100% secure system. The more we rely on external providers, the truer this statement can become. Security isn’t just for your organization. It extends as far as your entire supply chain. That’s why reliable supply chain cybersecurity depends on close examination to make sure that the links are as tightly bound as possible.

Learn more about supply chain risk in this blog from Fortra’s Antonio Sanchez.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.