We recently asked one of our experts about a common cybersecurity myth they often come across. Their answer? Businesses think if they have good cyber security, they’re completely safe.
The reality? A cyber attack on any of your vendors or suppliers can also put your data at risk.
Supply chain security is probably one of the most overlooked aspects in many organisations. That’s surprising because recent research said 60% of companies reported a third-party breach between 2023 and 2024.
Cybercriminals don’t always target your company directly. They’ll go after those with more gaps in their cybersecurity posture and access your systems through them.
That’s why ensuring you partner with someone who follows good cybersecurity practices is key.
However, given the number of vendors and software partners we work with, it can be extremely hard to manage supply chain risk. But you can have a few processes in place to ensure the basics are covered.
Given that, let’s look at supply chain security, how it can put you at risk, and what you can do to stay secure.
The risks are real
We don’t have to dig too deep to see how third-party risk impacts businesses. There are quite a few recent examples.
Take the massive SolarWinds attack in 2019, for instance. The hackers managed to access SolarWinds, corrupt its code, and inject malicious code through one of its solutions to over 18,000 customers, compromising even some US government agencies.
And then last year, NHS faced significant disruption, with critical operations delayed and sensitive personal information leaked, caused by an attack on one of its supply chain partners, Synnovis.
Now, you can argue that some of these attacks are impossible for any organisation to detect and prevent. To detect malicious code pushed by SaaS software, you need to invest in malware analysis tools, which might be overkill for any mid-sized business.
However, some attacks can be prevented with basic due diligence.
Monitoring the supply chain can be hard because risks can be introduced and exploited at any point. While they can’t be eliminated entirely, you can implement controls that reduce the risk, just like a risk to your own business.
We can take proactive measures, ensuring there are no easy targets and that your suppliers are following security best practices.
Know your supplier’s security posture
The first step is to understand how good your supplier’s security posture is. According to the 2023 Security Breaches Survey, very few UK businesses set minimum security standards for their suppliers.
Most of the cyber security attacks we see regularly are easily preventable. While examples like the SolarWinds attacks are exceptions, many can be prevented by adhering to basic cyber security guidelines and best practices.
Before onboarding anyone, check if they follow fundamental cyber security accreditations like Cyber Essentials Plus, for example.
- Do they have any security controls in place, such as SOC 2 reports, ISO 27001, compliance with laws like GDPR, etc
- What is their cyber insurance status?
- What is their cyber risk management strategy?
- Do they have a cyber-security response document?
- Is the vendor performing any critical business services for you? What data do they need to access? How will they collect, use, store and delete data?
- If the vendor is going to host your data, where is it going to reside? What about data privacy and sovereignty?
The above questions can act as a starter for 10 and give you a basic risk profile of the vendor. Security accreditations like Cyber Essentials Plus or ISO 27001 are not the ultimate protective measures but can act as filters. If a supplier doesn’t even meet these standards, then there’s a clear risk.
Now, if the supplier is not doing any critical activities or handling any sensitive or important data, then it may not be worth doing this activity for them.
If required, follow this up with more detailed assessments, such as a Data Protection Impact Assessment (DPIA), if they’re accessing critical data.
Also, it’s good to do a background check on the company to see if it has ever had a recent breach. Have they been fined for a compromise or not adhering to any compliance guidelines? You’ll be surprised to know how common this is.
Build a framework based on this data — what’s the risk, the probability the risk will materialise, and what will the impact on your organisation be if that happens? Work with only those that meet a minimum requirement according to this framework.
Your vendor was secure last year – But what about now?
As we said before, a supply chain risk can be introduced and exploited at any point. So, doing this activity once doesn’t mean risks won’t be introduced in the future.
If you have signed a contract with a supplier that says they’ll uphold certain security guidelines, audit their security posture regularly and on time to ensure they’re performing as agreed.
Many might be tracking risks initially, but not following it up with assessments at later stages can be a problem.
Perform a supplier audit at least annually to know how the nature of risks has changed.
When (not if) a cyber incident happens, will you be ready?
As we’ve already said, many of these events may be outside your control. So have a proactive threat monitoring solution in your environment to protect and respond in case of an event.
Invest in cybersecurity tools like EDR, XDR or SIEM to proactively monitor for threats and flag them so you can address them before they escalate. Having a small team of cybersecurity analysts (in-house or outsourced) who can jump on an incident and triage before it causes further damage, if it does happen, is important.
If your services go down due to a third-party attack, how do you keep critical operations running? Do you have a formalised incident management process and contingency plan to fall back on? If not, create them as soon as possible.
Ultimately, you should work towards a ‘Zero Trust’ model, which will greatly decrease the chance of you falling prey to common attacks and spreading the damage.
