We all understand that securing our estates is a very important task, that requires board level engagement and awareness from all people in the organisation. We also accept that mistakes happen, people are our weakest link and that it is how you respond to a cyber security event that will be the yardstick by what we are measured. But do we ever consider the risks we face in our supply chain?
Every organisation has suppliers, of all shapes and sizes. But do we consider the risks of using suppliers when we look at our cyber security stance. Perhaps you have a full business process outsource, perhaps you have a supplier that provides software updates. Both of those suppliers are a risk and should be considered. Let’s look at some important supply chain attacks to understand why we must work with our suppliers to better protect our estate. A large business process outsourcer based offshore was recently in the news for finding its estate had been compromised for “a few months” before the signs were seen. The attackers were able to traverse the suppliers estate to attack the customers of that outsourcer. Additionally we have seen direct attacks on software updates, meaning that will little to no effort, a back door has been placed into multitudes of machines.
With these facts in our minds, we are forced to consider that maybe our suppliers are the easiest way into our estate. Perhaps they are easier targets and, especially in the case of managed service providers, offer a much larger reward than access to one single estate.
One of the biggest questions I am often asked is where do I stop? We all have so many suppliers that performing audits and checks on each one would be a logistical nightmare requiring a large team and an even larger budget. Those resources are more often aligned at defence of one’s own estate. My advice to people who ask this question is to start a journey, it is not a one off tick box exercise but an ongoing practice. If you start with your critical suppliers, or perhaps your suppliers that maintain a logical connection to your estate you will find that you start to address the issue sof supply chain security, and your suppliers, by working with you, will be able to offer you far greater reassurance that they won’t be the reason for a breach.
In my role, as the information security officer for a very large oil refinery, the estate I work to protect is covered by NIS regulations as we are considered an “Operator of Essential Services” and therefore must show our cyber defences according to a framework published by the NCSC called the Cyber Assessment Framework or CAF. The CAF offers a framework that is outcome focussed and covers all areas of a mature and robust cyber defence system. It is freely available to everyone, and in my opinion is a priceless tool to drive cyber security across an estate.
By following the CAF and going that stage further of asking your suppliers to adopt it, providing the output to yourself, you will be in a very strong position to make clear informed choices on where your gaps are, what suppliers should be focussing on and how you can work in partnership with your supply estate to ensure a good level of cyber security.
