Cyber Month: Thursday Thoughts with Thijs: Supply-chain attack
All businesses have suppliers, fact. But have you ever considered the associated risk of a cyber-attack to your suppliers? Commonly known as either a supply chain attack or third-party risk.
My first musing of Cyber Security Month: what can you do to minimise the risk of a supply-chain attack?
Firstly, what do I mean by a supply chain-attack? Well, these attacks aren’t carried out directly on a business, but on its suppliers, such as the Kaseya ransomware attack in 2021. Kaseya offers software that allows companies to manage other companies’ IT infrastructure. To use this software, there must be a trusted connection between the vendor and the environment. However, unfortunately there was a flaw in the software that was then exploited by criminals – they only needed to launch their attack on one company in order to gain access to many others to conduct their criminal activities.
How can you minimise this risk?
Keep a register of all your suppliers. Look at the suppliers who have direct (and indirect) access to your environment. Often, access is requested by default due to convenience, either by a direct (continuous) connection or software used to achieve remote access (indirect connection). It’s important to know who manages that connection and what software is used to provide remote assistance, as well as creating an overview and monitoring this in your list of suppliers.
Understandably, sometimes it isn’t always feasible check in detail if your suppliers have everything in order with regards to information security. So, to try and combat this, I would highly recommend verifying that the supplier has a valid ISO/IEC 27001 certificate and check their statement of applicability.
For your most critical processes and components, you must meticulously go through your agreements with your suppliers – not only those with access agreements – and consider:
- Is there a service level agreement (SLA) in place?
- What action/reaction can you count on in case of an incident?
- Which other suppliers does your supplier use?
- Are there any suppliers that may pose a potential risk? For example, can the supplier still guarantee its services to you if one of their suppliers fail?
Another important aspect of supply chain security is checking whether a processor agreement is needed or not – if you need a hand with this, turn to your local Data Protection Authority (DPA) for guidance. If you do need one, make sure that you carefully read the agreement and check, for example, which sub-processors are already known. Don’t forget to regularly check and review your agreements, at least on an annual basis, as nothing changes as quickly as the cyber security landscape.
Finally, it strikes me that outsourcing services or tasks to third parties has become commonplace. Most likely due to having to organise and source everything that makes a business run, things such as equipment, software and knowledge in-house, which can be quite expensive. It is therefore absolutely imperative, if you are involving third parties, to be well aware of who is outsourcing what. Outsourcing services does not absolve you of responsibility.
So, to recap my Thursday Thoughts regarding supply-chain attacks:
- Keep a register of all your suppliers
- Check at least for valid ISO/IEC 27001 certificates
- Carefully go through your established agreements with your suppliers
- Review your agreements on annual basis
Need some help going through the agreements with your suppliers in the field of information security? Resillion is more than happy to assist you. Contact us for more information.