Forrester recently predicted that in 2022, 60% of security incidents would involve third parties. Yikes!
With such a large percentage of incidents being outside the confines of your organizations need to know what to do to protect themselves. So, here is a list of things to address to succeed at supply chain risk (SCR) management.
It sounds simple, but many organizations we work with don't know who their suppliers are.
You can start with procurement and ask them for a list, but you'll often have to scan IT suppliers in detail, as well as everything from financial providers to courier companies. Many procurement departments vet suppliers only on service or supply charge levels, and small-dollar value suppliers don't reach the threshold. Maybe some of them should (like the printer of your annual corporate gifts who has your entire customer list). One large organization we worked with had over 12,000 suppliers! This organization was probably unaware of this volume of suppliers' risk and used it as an opportunity to prune!
Working out which suppliers matter to your business and assessing the impact of any cyber incident they experience might have on you is the next step. Many consultants say to group vendors by criticality, but this can be harder than it seems. Read this article by Peter Venables, CISO of Google, and you'll understand how outrage can push seemingly innocuous suppliers into the higher-risk tiers. Does that vendor have access to company systems, classified data, or PII? Assess their criticality – how it relates to your business, and how an incident would cause problems for your board, management team, or business operations – if you have to pull the plug on a vendor, does your business stop too?
Your assessment framework should cover a variety of cybersecurity standards and best practices, e.g., from the National Institute of Standards and Technology (NIST) or CIS Critical Security Controls (formerly SANS). Questions range from the supplier's ability to encrypt data, whether it uses MFA, the supplier's password policies, patching program management, architecture and segmentation, cloud usage, and many more. A best practice is to balance your assessment questions. Too few and you won't know what's actually going on too many and you'll be lucky to get a response from your suppliers. Trustwave has 23 primary domains addressed in our assessment, which we think is the right amount. More importantly, assessment questionnaires are just the start. Ask for evidence, such as their security policy, penetration test reports, certifications like ISO 27001 and SOC2 reports. Note: A supplier can fake these reports, so make sure they are legit.
The assessment is only as good as the tool or the human analysis behind it. We recommend you know which parameters impact a vendor's risk rating and how that vulnerability may impact your business. For example, will SSL vulnerabilities in that vendor pose a risk to your business? Perhaps if they're storing your client data on a public-facing system, this will be a problem, and a high-risk one at that, but if they're providing flowers at your front desk, it likely will not be an issue.
I'd be asking the person conducting the interpretation of the results of questionnaires, "is this your core competency?" The skill level and time needed to interpret the variety of cybersecurity reports, certs, scans and rich text responses to questions requires a span of knowledge that most IT or audit generalists just don't have, and AI-based security scans can't process with accuracy. If you're outsourcing this task, ask if this is an area in which the vendor specializes. You're paying for their time, so they should be experts with speed at this task. They should also provide you with actionable intelligence – recommendations on actions to address gaps with high-risk suppliers.
These tools have their place, albeit the licensing cost is often considerable, particularly if you haven't done step 2 and you're scanning every vendor! Vendor scanning tools give a security profile as seen from outside the target vendor's organization – the public-facing systems, websites, servers, connection protocols, and publicly available data are compiled to produce a final score. This choice may be good enough for low-risk suppliers. However, it's not enough to predict whether a supplier will pose a problem for you in six months. For example, if the vendor does not have a patching program, this is likely to be a risk that's going to bite when an attacker rolls out zero-day attack. Scans today won't tell you that, whereas an assessment by an experienced analyst is predictive and will let you know the capability of each vendor to deal with events as they arise.
In our opinion, no amount of risk assessment would protect you from a potential nation-state attack, as the Solar Winds vulnerability posed. However, a threat detection service or capability will alert you to incidents and breaches in real-time. At a minimum, it will enable you to respond quickly when the worst happens, or at most, stop the threat before it reaches your critical systems.
If you're looking to improve resilience against supply chain risks, you can talk to us. Our Supply Chain Risk Diagnostic Service is ready to shorten the time needed to get your SCR management program up and running.
Alternatively, when revisiting your in-house cyber risk assessments, or looking for a more efficient third party to do this for your business, look here for a description of our Managed Vendor Risk Assessment Service.
Trustwave offers Managed Vendor Risk Assessments (MVRAs) to help organizations assess and manage their cybersecurity supply chain risks with consistent, predictable, affordable, and scalable services. By understanding the risks vendors pose to sensitive data and operations, you can potentially save time and money, and improve business resilience.