The weakest link: managing supply chain risk

How to protect your business in a hyperconnected world.

The digital ecosystem has transformed in recent years, intricately connecting businesses with their suppliers and consumers in ways we couldn’t have imagined a few decades ago. This interconnection brings many benefits, from streamlined operations to enhanced service delivery. However, it can also introduce vulnerabilities, with the number of documented supply chain attacks increasing 633% between 2021 and 2022[1]. Now, businesses not only need to protect their own environments, but they must also be vigilant about understanding their partners’ security postures as well…

An expanding attack surface

Every point in the supply chain has its own set of vendors handling various products and solutions, creating a vast attack surface. This makes supply chain attacks attractive to threat actors because they can often extort hundreds of businesses by compromising only one environment — taking the ‘path of least resistance’. And because organisations don’t have direct control over their suppliers, protecting against this form of threat can be a significant challenge.

If a supply chain attack is successful, the consequences can be catastrophic, as seen in a number of high-profile cases including SolarWinds, Kaseya VSA and, most recently, MOVEit.

Mitigating supply chain risk

As a result of this growing threat, many government and certification bodies including the National Institute of Security and Technology (NIST), the National Cyber Security Centre (NCSC) and the International Organization for Standardization (ISO) have produced guidance and recommendations for supply chain risk management. Conducting cyber due diligence on a new supplier is an imperative step in this process, ensuring the supplier’s cyber practices don’t introduce vulnerabilities into an organisation’s own operations.

This begins by assessing the supplier’s cyber security posture, examining its information security policies, incident response plans and any prior breaches. It’s essential to understand the controls it has in place in terms of both technology (eg, firewalls, intrusion detection systems and encryption protocols) and procedure (eg, employee awareness training and access controls).

Requesting third-party audits or certifications such as ISO 27001 or SOC 2 reports can provide an objective view of security maturity. Additionally, ensuring the supplier has a clear data management policy, especially if it handles sensitive or personal data, is crucial. And due to the dynamic nature of cyber security, continuous monitoring and periodic reassessments are vital — because a once-secure supplier can become vulnerable if it doesn’t adapt to evolving threats.

Managing residual risk

Of course, it’s important to remember that your organisation forms part of a supply chain to its own customers too, so managing your own cyber hygiene is also a key business priority. In many industries, being able to demonstrate this is now a prerequisite to trade. For example, an architecture firm may need to have Cyber Essentials Plus to work with a government body, or a motor dealership may need to meet certain requirements to work with a specific manufacturer.

To effectively minimise cyber risk, a multifaceted approach is required. Firstly, implementing cyber security measures in alignment with proven frameworks or standards such as the NIST Cybersecurity Framework or ISO 27001 can provide structured methodologies for addressing and managing cyber threats. Regular employee awareness training on best practices such as recognising phishing attempts and the importance of good password hygiene is crucial, as human error is often a significant vulnerability.

Additionally, businesses should invest in advanced threat detection software, maintain up-to-date software patches and carry out periodic vulnerability assessments and penetration tests. However, despite all this, recently well-documented examples such as sophisticated AiTM phishing campaigns[2] demonstrate that bad actors are becoming more creative, and a breach should now be considered a matter of when, not if.

Ultimately, there’s no real substitute for 24/7 monitoring and interrogation such as Managed Extended Detection and Response (MXDR). This is designed to proactively and efficiently identify a compromise and swiftly neutralise the impact long before an attacker achieves their goal. Without this, threat actors can potentially remain undetected in a system for months, having access to critical data for the duration.

Navigating the supply chain

Fundamentally, an organisation should only collaborate with partners whose security stance is as robust or stronger than its own — while not forgetting the importance of its own cyber hygiene. At Bistech, we take a tailored, defence-in-depth approach to help your business stay ahead of the curve. To discuss your security needs, call our specialist team today on 03330 11 22 55.

[1] Sonatype 2023, ‘State of the Software Supply Chain’

[2] Microsoft 2022, ‘From cookie theft to BEC’