How to manage cyber risks across your supply chain

The growth of third-party apps and tools to run supply chains introduces a risk for businesses to think about. Tim Rawlins, Senior Adviser and Security Director at NCC Group, explains.

Many businesses’ supply chains are complex and rely on third-party software suppliers, which deliver and maintain vital applications and data that connect deep into their networks and systems. The benefits include reduced costs, increased efficiencies and more effective operations, but they present some risk too, including the risk of data breaches.

A growing threat

Unfortunately, supply chain attacks were one of the top three areas of cyber attack to increase in the last six months, behind phishing, malware and those of operational technology. Cyber-security attacks on supply chains have increased by 51% in the past six months, according to the NCC Group’s research. Having surveyed approximately 1,400 cyber-security decision-makers at large companies in 11 countries including the UK, US, China, Germany and Singapore, we also found some other concerning results.

For instance, only 32% were “very confident” that they could respond quickly and effectively to a supply chain attack. And just 24% named third-party and supplier risk as a major cyber-security challenge for the next six to 12 months.

Many plan to invest in new third-party software, hardware and Software as a Service (SaaS) security products in 2022, which could further complicate their supply chains and increase vulnerability. So how can they reap the benefits of third-party supply chain tools, while mitigating the risks?

Five actions to prevent, detect and respond to supply chain attacks:

1. Awareness

Be aware of your critical assets, the suppliers that support them and the risks to the business if they were compromised. This allows you to better understand your supply chain risks by understanding the services and products that your suppliers provide you with, as well as the access they have to your environment and data assets.

2. Assurance

Having selected a supplier, first do some technical due diligence to ensure that they are committed to delivering a secure service and then build in assurance measures to any request for information (RFI) or request for proposal (RFP). And remember that this is not a one-off – you need to maintain adequate levels of assurance. This means that your suppliers support your policy, processes and controls. You can adopt different approaches to assessments that match the risk profile of suppliers, such as tailored security control questionnaires supported by evidence gathering and certification. If you don’t have the resources to manage such a programme, then use an effective third party to monitor and assess the suppliers for you.

3. Isolation and segmentation

Only give the suppliers as much access as they need; and challenge why they need as much as they will initially claim. Adopting the principle of ‘least privilege’ access controls may reduce the damage that a compromise of their systems will cause to yours. Segment your network, with internal firewalls or other measures thereby limiting the damage an intruder can cause.

4. Detection

Having a Security Operations Centre (SOC) to constantly monitor your networks and systems, including the suppliers’ performance and adherence to contractual obligations, is key to maintaining your resilience. For ongoing detection, test your and your suppliers’ software applications and network using pen testing and vulnerability scanning, regularly. And apply integrity checks on new, updated or patched software to detect any changes to software code that could indicate a malicious attack.

5. Respond

Integrate supplier management into your response and communication plans following an incident. Ensure that the contracts stipulate that third parties report their cyber-based incidents so that you are quickly aware of any potential impacts on your systems. And test their reporting and support with tabletop exercises. Ensure these resiliency plans are fit for purpose and regularly tested with Software Escrow Verification, which will see their software safely lodged in Escrow, with a third party, should they fail to deliver according to the contracts.

Bringing a cyber-security focus to the software and services supplied by third parties is an ongoing process that requires commitment well beyond the initial selection of a suitable partner. However, the effort will enable you to rest assured that the critical third parties you rely on are working to ensure the security of your own network and systems.

For more information about supply chain fraud visit the NCC Group 

This article was written in collaboration with NCC Group Software Resilience, the world's largest Software Escrow provider. Visit their insight blog for actionable resources and helpful information.

Tim Rawlins, Senior Advisor and Security Director at NCC Group

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top