Operational resilience | Risk Management & Reporting

September 4, 2023

Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations must consider their suppliers and the cyber security risks they pose. The UK’s Cyber Essentials scheme and the Australian Essential Eight framework both aim to enable organisations to improve the basic levels of cyber hygiene across supply chains. For organisations that are heavily dependent on 3rd party suppliers, logistics or retailers for example, the risk of introducing a debilitating external cyber security threat into their operations is an active problem.

As well as direct suppliers, it’s also important to consider the risks that the suppliers to those direct suppliers might bring. The Australian Cyber Security Centre (ACSC) suggests that systematic cyber supply chain risk management should comprise:

  • Identifying the cyber supply chain;
  • Understanding the related cyber risks;
  • Setting cyber security expectations;
  • Auditing for compliance; and
  • Monitoring for security improvement in cyber supply chain practices.

The intermediation of the finance sector and others, has driven greater efficiencies and reduced the cost of transactions, but with it has come greater 3rd party risk for supply chain participants. An issue that has not been lost on regulators who are increasingly mandating that institutions factor this into their wider operational resilience.

Part of a bigger picture

In commerce, organisations increasingly share data and create dependencies on one another for the secure carriage and care of that information. A cyber security axiom is digitalisation for greater business efficiency, and improved performance brings with it a greater reliance on trust between all parties. For confidence, that means a verification process.

The challenge to understanding and assessing 3rd party security risk is firstly to understand the range and reliability of the methods available. The difference between asking for attestation with some form of questionnaire, an assurance process and a systematic evidenced-based audit – automated or manual – may not be clear to some outside the security realm. Security assessments can all sound the same although, as we have discussed in earlier blogs, the quality of the information provided from a systematic quantitative assessment, complete with artefacts, outweighs that of a subjective questionnaire, when it comes to trust and reliability.

We’ve discussed supply chain risk previously, in past blogs here and here, as well as producing an e-guide for directors. In fact, there is a whole new consulting industry seeking to assess the cyber security resilience of suppliers. And it is the ability of those responsible for the resilience of an organisation to discern between the accuracy and reliability of the security information from 3rd party suppliers.

Mapping supply chains

The investigation process needs to be similarly rigorous and use the same principles as those used in the risk assessment of your own enterprise. What are the key shared assets at risk? Are there adequate mitigation strategies in place? Or, do they need to be better protected? And because the threat environment and/or the contracted services might change, these questions should be a theme of your recurring assessments. The diligence with which you manage the ongoing effectiveness of your own cyber controls should be replicated in your efforts to ensure your supply chain providers are equally committed.

Recognising the importance of supply chain cyber security, the UK’s National Cyber Security Centre (NCSC) recently published a guide on “Mapping your Supply Chain”. This is in addition to their previous guidance on how to manage and assess security in your supply chain which can be found here. Both documents reinforce the importance of effectively managing and securing your supply chain; and highlight the fact that without it, your defences are only as good as your weakest control.

The NCSC guidance describes a systematic methodology:

“Supply chain mapping (SCM) is the process of recording, storing and using information gathered from suppliers who are involved in a company’s supply chain”.

Suppliers may be the providers of inputs to products produced by the company or they might be the indirect services consumed by the company in their operations. Either way, the mapping process must start with information gathering about the IT assets that are shared, the priority of any information and the security controls in place to protect it.

This information may be available, in part, from existing supplier databases, contact lists or past procurement contracts. Reconciling this information is a good first step, before updating and extending it to include new information from known suppliers, priority next-level suppliers and those for which information is as yet unavailable. Knowing what information is shared or accessed and by whom, how data is transmitted and stored and what security arrangements exist are important details for your supply chain mapping activities.

Maintaining this sort of information on suppliers is the cornerstone of your ongoing monitoring and oversight efforts. Your access to this information, and regular updates, should be enshrined in the contracts with each and every key 3rd party supplier. The dates of audits, the validity of assessment results and even security questionnaires if they have been completed. Even the commercial and technical points of contact in a time of crisis, is helpful.

A supply chain risk management process

Having built a map of existing suppliers, consolidating the available information and completing the missing pieces, you should move to a more systematic and reliable approach to supply chain management.

Putting in place regular touch points and reviews of security controls (audits, remote assessments or otherwise), working with suppliers to manage risks – both technical and input dependencies can then follow – is all part of a successful supply chain management effort. It will frame your activities and quickly assist in the diagnosis of any emerging risks and their necessary mitigation. Defining incident management processes, modelling scenarios and agreeing notification timeframes and response plans is all part of this – but most of all, these risk management processes depend very much on you having a view your suppliers and the risks they present to your business activities, from the outset.

Summary

The steps to map supply chains are not particularly onerous, but they can be complicated by the number of suppliers, the nature of the different risks and dependencies they present and the inevitable information gaps. For that reason, mapping your supply chain needs to be a systematic and reliable process. As you can imagine, random questionnaires mailed out to suppliers by the purchasing department, seeking self-assessments of their cyber security resilience, falls well short of the rigour required in your operational resilience planning.

Clearly the information you hold on the security of your supply chain needs to be protected. This is as important as the security information you retain about your own resilience. The NCSC guidance specifically notes the interdependencies and sensitivity of this information; which in the wrong hands could incapacitate significant elements of your supply chain.

Finally, as with your internal cyber security management efforts, these systematic practices can be supported with reliable and evidence-based 3rd party risk assessment and actionable reporting;  with separate Huntsman SmartCheck reports, for example, quickly providing visibility of the key IT assets for each supplier and the state of the security controls that protect them.

Top 10 Questions about Supply Chain Cyber Risk for Executives & Directors

BLOG POSTS

Related Cybersecurity Content

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.