Supply chain risk management follows the classic process of identification, assessment, and mitigation. However, we often see that businesses believe risks can be offloaded onto suppliers and no longer need to be mitigated. It is worth remembering that risks cannot be “transferred” to suppliers but are shared by supplier and customer.
As long as the supplier has passed a competency assessment and the contract assigns unlimited liabilities to the supplier, the business thinks it can switch focus to its internal risks. As the world saw in the last year, this is not the case.
What is the problem?
There are plenty of successful attacks initiated on commercial and governmental targets through the supply chain. SolarWinds was a very high-profile incident that genuinely represents what the actual fallout of this risk can be – leading to CISOs around the world being inundated with cold calls from sales reps offering to protect them from such an incident happening to their business. Procurement processes tend to focus on the minimisation of business risks. They rarely focus on suppliers’ cybersecurity measures and are often limited to box-ticking exercises only. Additionally, internal risk and cyber security personnel are usually not privy to the contractual processes. Most companies use financial staff to onboard new suppliers and assess their risk without necessarily possessing the correct knowledge or tools to make informed decisions.
It is common in the agile commercial world for clients to allow suppliers access to their IT systems to speed up fulfilment processes and provide real-time commodity tracking. Often, companies have no idea just who is connected to their systems at any one time or what they are doing. In risk assessments and as part of our consultancy, we’ve witnessed suppliers turn up to a client’s site and plug in unapproved and untrusted IT equipment into the client’s networks. Even worse, there’s often no segregation between suppliers’ systems and the rest of the client’s network.
So what happens in practice?
There is a view from clients that if a supplier has passed the financial checks used to minimise business risk and has completed a questionnaire on their security practices, they can join the trusted and approved suppliers ad infinitum. Even if thoroughly completed, questionnaires only provide self-evidence of security practice at the time of completion and give no actual assurance of current or future security postures. Often in our experience, there are no checks that the questionnaire was completed truthfully or any periodic monitoring to look for changes.
Often, supplier contracts include a clause to allow for audits of the supplier. Again, it is our experience that, in reality, such audits are only ever carried out in the rare circumstances of a post-incident investigation. Audits should be considered part of the supply chain risk management processes toolkit and should be utilised regularly and seen as a business-as-usual task.
We have seen that, particularly in larger commercial organisations, verification of supplier claims is often ineffective. Elaborate self-assessment questionnaires become a box-ticking exercise, seen as a burdensome overhead to the procurement process.
A lot of problems come down to how the questions are asked. Rather than asking if penetration testing is performed annually, evidence should be sought that it has. A tick in a box against annual testing does not assure that testing is adequate, that any vulnerabilities were resolved, or that its scope even included all the relevant parts of a supplier’s systems.
Give me the key message
Formal processes, optimised and tailored to each company, should be established that check a potential supplier as part of the procurement process. Once on the approved list, suppliers should be regularly monitored and audited to check their security posture hasn’t weakened. Ideally, they should be continually improving, reacting to changes in the threat landscape and reducing business risks. This is best achieved with close, collaborative, and open partnerships between vendor and client security teams, enabling information sharing and proactive actioning for improvement opportunities.
There are no ways around the effort involved. Software and standards are in development to prevent vendor fatigue and automatically evaluate suppliers; however, vendors’ non-standard information dissemination methods can hinder this and make it necessary to verify results by an experienced professional.
The key takeaway should be that supply chain risk management needs to be considered a fundamental aspect of your security team’s activities – and reviewed regularly. The recent incidents resulting from poor third-party risk management and the ever-closer integration of third-party and internal networks prove that third-party risk is established and increasing in the cyber security space.
Want to know more?
Get in touch! Tell us your priorities and we’ll recommend the right mix of services.