Supply Chain Cybersecurity Risk

Introduction:
Supply chains are a network between an organization and their suppliers. In a traditional sense, this is viewed as the routes between manufacturers, warehouses, transportation organizations, distribution hubs and final retailers. Optimized supply chains are critical because they ultimately lower the overall cost of conducting business and dramatically increase the production cycle.

Organizations with full command over their supply chain hold less associated risk, but when third parties are involved, that risk level is heightened due to limited visibility and control. All suppliers can pose cybersecurity risk to your organization, but statistically the most likely ones have:

1. Access to networks or systems
2. Process, store or transmit sensitive data
3. Provide a service critical to company operations

Attackers commonly target the weakest link in a supply chain. Unfortunately, this tends to be smaller vendors who inherently have less resources to fortify their own cybersecurity posture. An attacker who infiltrates your supplier could use lateral movement* techniques to then compromise the confidentiality, integrity, or availability* of your sensitive data because of the complex interconnectivity of modern supply chains. As a result, cybersecurity has become a shared responsibility among all organizations that comprise a supply chain.

Solution:
ISN automates cybersecurity due diligence by providing a standardized, cost-effective process that allows security teams to focus less on supplier risk and more on their own internal security posture. The primary goal in defending against supply chain attacks is to ensure that suppliers do not become new attack vectors*. Organizations should adhere to an acceptable level of cyber hygiene* to reduce the likelihood of spreading threats to interconnected systems. The following are examples of measures an organization can take to develop and implement an effective cybersecurity supply chain risk management program:

• Create roles and responsibilities that ensure appropriate stakeholders are involved in supply chain risk management decision making. This includes outlining who has the required authority to take action, is accountable for an action or result and who should be consulted.
• Ensure that adequate resources are allocated to cybersecurity to ensure proper implementation of related controls.
• Standardize a tiered, third-party risk management program across all supply chain participants that pose a cybersecurity risk to your organization. This can be done by establishing a baseline of cybersecurity due diligence, then increasing that level of review as suppliers become higher risk. Common first steps in this process are collecting Cybersecurity Questionnaire responses, requiring Cyber Liability Insurance Review and reviewing a supplier’s cybersecurity risk rating from a provider like SecurityScorecard.
• Develop an incident management program to identify, respond to and mitigate cybersecurity incidents, as well as collect Cyber Breach Reports for post-incident review.
• Establish consistent, well-documented and repeatable processes for determining data impact levels if your organization were to experience a breach of security.
• Build consistent, well-documented and repeatable processes for system engineering that meet an approved baseline of cybersecurity posture.
• Establish internal checks and balances to ensure cybersecurity compliance and assess the quality of your suppliers by collecting Evaluation Reports during or post-job.
• Perform a vulnerability analysis on your suppliers and conduct a Documentation Review that proves their cybersecurity posture. Initiate a Written Policy Review to see how well they comply with standards from organizations like the National Institute of Standards and Technology (NIST) and interview employees within the organization with ISN’s RAVS Plus process to ensure employees have been properly trained on cybersecurity best practices.
• Implement a tested and repeatable contingency plan that integrates cybersecurity supply chain risk considerations.
• Enforce a security awareness training (SAT) program by requiring suppliers to complete Cybersecurity Awareness Training before arriving on-site.

ISN maintains a comprehensive suite of cybersecurity tools designed to help organizations mitigate supply chain cybersecurity risk that are bolded above.

Need more information?

It can be difficult to know where to start in this data collection, but ISN, a leader in supplier management, can assist.

ISN’s global supplier management platform, ISNetworld, supports an extensive network of nearly 700 Hiring Clients that leverage the platform’s tools and data to capture and review cybersecurity, HSE and sustainability information on more than 75,000 suppliers.

If you are a current ISN Hiring Client subscriber, contact your account representative about incorporating cybersecurity tools into your supplier information management program.

If you are interested in learning more about ISN’s supplier management system to help you reach your cybersecurity goals, contact ISN to request a demo of ISNetworld.

Definitions*:

- Lateral movement: Once a bad actor gains initial access to a network, they utilize techniques commonly referred to as lateral movement to move deeper into a network until they reach their end goal.

- Confidentiality, Integrity and Availability: Also known as the CIA triad - confidentiality, Integrity and Availability are the goals for cybersecurity systems.

• Confidentiality: Ensuring that data is kept secret and disclosed only when intended.
• Integrity: Ensuring that data hasn't been tampered with and is only altered when intended.
• Availability: Ensuring that data can be used when intended it hasn't been made inaccessible.

- Attack vectors: Techniques that a bad actor can utilize to penetrate or access a designated target.

- Cyber hygiene: Actions that can be taken to maintain or improve the cybersecurity health of information technology assets, data, networks and people.