Imagine you are a property owner. You decide to get serious about your home security. You install locks on all your doors and windows. You wire in an alarm system. You keep a detailed record of all your valuables. And then you open the door to someone posing as a delivery driver.
You let him in, and he steals everything.
This is a real-life analogy for a supply chain attack. In a breach of this type, hackers don’t target the SME, they target any company – or software product – doing business with it. They take advantage of the lack of attention paid to the security of these external partners to ‘enter’ the target organisation. And once they have compromised an enterprise higher up the supply chain, hackers can compromise thousands of victims at once.
Regrettably, over the last few years, SMEs all over the world have become more and more vulnerable to this rising threat. Indeed, Argon’s Software Supply Chain Security study found supply chain attacks grew by more than 300 per cent in 2021 compared to 2020. Perhaps the most high-profile example was the Solar Winds attack of 2021. It’s estimated that this breach alone exposed 18,000 customers, including large government agencies, to products infected with malware.
Clearly, the risk of supply chain attacks is growing. And yet many SMEs seem unsure how to respond. However, there are basic steps you can take to minimise your risk of a breach. These measures will create a culture of transparency and accountability between you and your vendors.
To assess your level of defence against supply chain attacks, ask yourself these essential questions:
Do I know exactly what is in my IT stack?
You cannot protect your IT systems if you don’t know their contents. For this reason, you should start your supply chain attack countermeasures with a full audit of your IT environment. You must understand exactly what hardware, software and SaaS products are being used, where the security gaps lie, and which vendors and partners your business relies on.
Is my tech team aware of unapproved shadow IT?
Every time an employee installs their own IT product on a work device they are increasing the risk of a breach. Even the most ‘harmless’ product – a grammar checker, say – can become a trojan horse through which attackers can enter. Needless to say, these ‘shadow IT’ products are not approved by your internal security people simply because they are not aware of them.
Indeed, your team might be shocked to find out the precise number of unauthorised products being used in the organisation. It can extend to thousands. So take control. Run a complete audit.
How well do I know my suppliers?
A vital line of defence is to assess the nature of your supplier interactions. What types of data do they process? Which system interfaces do they use? How integrated are they with your organisation? You should have a system of record for every vendor based on the type of service they deliver. It’s vital to keep an up-to-date inventory and to manage these relationships centrally.
Can I rank my suppliers by risk?
Ask yourself how critical your suppliers are to the business. Security resources are scarce, so prioritise vendors that matter the most. Aim to identify partners whose compromise could cause the greatest damage to your business. If there are redundancies or unnecessary relationships, address them too. By tiering partnerships you can fast-track procurement for low-risk vendors.
Are my suppliers doing enough to protect themselves?
Once you have a good understanding of your partners and their relative importance, you should find out how they are bolstering their defences. Prepare a list of clearly-defined requirements and be prepared to ask uncomfortable questions.
You should expect every vendor in your portfolio to demonstrate what they are doing to protect themselves and their customers against attacks. Ask them how they restrict access to systems and how they encrypt data. Do they follow industry standards? How are they safeguarding the confidentiality, integrity and availability of their client’s data? Can they show independent audits of their security performance when asked to do so?
In the event of a breach, can my suppliers promise business continuity?
Good defences are the best protection against supply chain attacks. But no system can ever be completely secure. So what happens when there is a breach? When it comes to business continuity and disaster recovery (BCDR), you should have clear expectations of your partners. Build these into your contracts. You should put in SLAs that specify a well-documented incident response plan. If a supplier doesn’t have a formal BCDR strategy in place, work together to create one.
Am I holding my suppliers accountable?
OK, so you have ranked your suppliers and audited their security measures. But this is not the end of the process. Now, you need a system to evaluate them on an on-going basis. The requirements you place on your vendors should mirror your own. Indeed, tier one vendors should be treated as an extension of your business. Their policies should be similar or even more exhaustive than those you set yourself.
Of course, this is not a box ticking exercise. Nor should it be a one-off. You need to persevere and keep relationships transparent. Your partners’ security programmes should adapt to changing threats – and they must be able to show that they are.
If you ensure your vendors abide by best practices, it will set the tone for the long term. When there is shared upfront commitment, it will unify both parties in the event of an incident. This will pay off in terms of business continuity, incident response, data retrieval and data ownership.
Does my organisation have a culture of cyber security?
Shadow IT is a growing problem because employees don’t fully understand the risk of connecting their own software products to the organisation. In this sense, users remain the weakest link. The only remedy is education. So use staff training to build a strong security culture and support it with appropriate threat prevention and monitoring tools. Your team must be vigilant and learn to spot suspicious activity. Encourage them to report anything unusual, even if it seems trivial.
Final take away
SMEs cannot counter the rising threat of supply chain fraud alone. The only defence is to bring all external partners on side. You must demand the highest possible security outcomes from vendors, whether the relationship is new or stretches back over decades. You should track and record everything, and do so regularly over the long term.
Work with your suppliers. Know what their policies are, remedy any weak points and review constantly their defences – and your own. Do all this and you will be better armed against the constant threat of supply chain attacks. Intruders might still ring the bell, but you will know not to open the door.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.