No Bullsh*t Approach To Simplifying Cyber Supply Chain Risk

Thumbnail for article

tl;dr: Pick high-quality suppliers but don’t blindly trust them. Assume your supply chain will be directly or indirectly compromised. It’s about resilient processes and it's not about trying to prevent the inevitable.


Organisations are increasingly dependent on 3rd party suppliers to provide mission-critical services. You are a unique member of the most complicated ecosystem of business services to have ever existed!

In 2022, supply chain cyber attacks in the United States impacted 1,743 organisations. An increase of 235% year-over-year since 2017 [1].

We’ve seen suppliers become a lucrative target for cybercriminals. Why? Because these suppliers have access to multiple customer’s data and can be leveraged to gain access to these other organisations. From an attacker’s perspective, service providers give a great return on their hacking investment.

It’s a problem we need to take seriously, but I’ve seen a lot of organisations overcomplicate the topic of cyber assurance for supply-chain risk.

To the point that:

  • it costs astronomical amounts of money
  • we appear to be trying to control the uncontrollable by asking endless questions
  • it has become a security theatre activity proving pseudo-comfort
  • it provides very little real-world bang for the buck on the investment

So are 3rd party assessments bullsh*t?

The answer is “yes” and “no”.

It’s difficult to benchmark a wide range of vendors in an effective way and achieve a high level of accuracy.

The time invested vs. the value derived quickly reaches a saturation point and the diminishing returns curve kicks in.

We need to be pragmatic about what questions will illuminate risk, focus on the most critical supplier relationships and quickly form a defendable decision.

There are 3 common approaches when assessing suppliers:

  • Certificates: ISO 27001 and other certificates are a great way of demonstrating compliance. However, we all know the presence of controls does not mean effective controls.
    But, it does demonstrate they have given thought to taking cyber risk seriously.
  • Questionnaires: Suppliers wishing to sell you services might be overly optimistic about their security posture when providing feedback, to the point where responses are not an accurate reflection of the risk.
    But, it does mean the vendor is participating in active dialogue and the answers can form part of a legal protection level agreement [2].
  • Scorecards: Vendors will try and sell you magic scorecards that bench 3rd parties. However, these solutions don’t have the depth of data to be any more than a litmus test.
    But, it occasionally returns actionable data and it is a quickly maturing field of service offerings.

All 3 of these activities provide an element of value, but should not be process-heavy, embellished or overly relied upon.

Instead, treat them as the foundation needed to develop a defendable decision on whether the supplier meets your organisation’s high-quality requirements.

However, the achievement of this high-quality requirement does not mean the supplier is immune to cybercrime. Mimecast, SolarWinds and Atlassian would have passed all 3 of these assessments and still:

  • Hackers were able to compromise the security certificate that authenticated the Mimecast service on Microsoft 365 Exchange Web Services.
  • Attackers injected a backdoor into a software update of SolarWinds.
  • Security researchers discovered that Atlassian applications were vulnerable to abuse of single sign-on.

Supply chain cyber compromise is an inevitable part of business operations.

The truth is, to positively move the needle on supply chain risk you need to select high-quality vendors and develop your own resiliency against them being breached.

Pragmatics assessments and process resilience

It always starts with the basics.

Develop an inventory of who are your suppliers, what they do and do they meet your organisation’s high-quality bar.

Does the supplier:

  • support the organisation’s mission-critical services?
  • meet the organisation’s high-quality bar?

Your resources are not infinite and all applied effort must be risk-weighted.

The inventory will allow you to focus efforts on the suppliers supporting mission-critical services and quickly filter those not meeting your organisation’s high-quality bar.

Suppliers failing the high-quality bar should be encouraged to raise their game or the organisation will be forced to seek a new supplier. A supplier who takes security seriously is less affected and less likely to be breached.

In terms of results-focused questionnaires, I like Gartner’s approach to Protection Level Agreements (PLA) [2]. They’re a more pragmatic alternative to the hundreds of questions currently being asked in supplier questionnaires (aspirational I know, but I still like it).

Gartner’s 16 Metrics [2]

Plus, the PLA can also become an enforceable part of the legal agreement between parties.

Strong Cyber Security is a competitive advantage for companies within the supply chain!

Then we can ask the questions which help us shape our resilience posture by embedding preventative and reactive controls/responses.

The purpose of these controls/responses is to ensure if a supplier is breached, the impact on your organisation has the smallest possible blast radius, and the time in which you’re able to respond is reduced to the shortest possible timeframe.

If the supplier holds sensitive information…

Proactive controls:

  • Your organisation must clearly understand the data fields being given to the supplier and business purpose.
  • The supplier must only hold the data for the period required to fulfil the agreed function.
  • Understand where the data is being held and how is the data being protected. Validate this if possible.
  • Seek assurance in independent certifications (i.e. ISO27001) and PLA’s.
  • Ensure that a legal framework is agreed upon to enforce good practices.

Reactive controls/responses:

  • Monitor/communicate with suppliers to understand if a breach has occurred.
  • Understand what data, how much data, and how the data was affected in a breach.
  • Consider internal incident management processes for handling.
  • Consider internal legal assistance in communicating with the supplier.
  • Consider internal comms and press office involvement for clarity in any announcements.
  • Consider your legal reporting obligations to bodies such as the ICO.

If the supplier provides software products or services…

Proactive controls:

  • Only accept verified products or services from approved suppliers.
  • Do not blindly trust the product or service. Only give the access required to perform the given function. Think Zero-Trust for both products and people.
  • Your organisation’s environment must operate a defence-in-depth approach with layers of controls and detection capabilities.
  • Seek assurance in independent certifications (i.e. ISO27001) and PLA’s.
  • Ensure that a legal framework is agreed upon to enforce good practices.

Reactive controls/responses:

  • Monitor/communicate with suppliers to understand if a breach has occurred.
  • Verify signatures and vetting from products and services that come from an approved supplier.
  • Monitor your environment and staff. Your organisation must be able to use its attack detection and response (SOC) capabilities to detect the actions of Trojan software or malicious insiders.
  • Consider how your business processes could function in the absence of the service or product.
  • Consider internal incident management processes for handling.
  • Consider internal legal assistance in communicating with the supplier.
  • Consider internal comms and press office involvement for clarity in any announcements.
  • Consider your legal reporting obligations.

If the supplier has remote access to my systems…

Proactive controls:

  • Ensure remote access is only granted to the required resources for the time period required.
  • Access is centrally controlled and requires a minimum of 2-factors to authenticate. You should exclusively control one of those factors, if possible.
  • Actions are monitored and verified by your organisation.
  • Seek assurance in independent certifications (i.e. ISO27001) and PLA’s.
  • Ensure that a legal framework is agreed upon to enforce good practices.

Reactive controls/responses:

  • Monitor/communicate with suppliers to understand if a breach has occurred.
  • Remove remote vendor access.
  • Understand which of your organisation’s resources have been accessed since the supplier was breached.
  • Consider how your business processes could function in the absence of the service or product.
  • Consider internal incident management processes for handling.
  • Consider internal legal assistance in communicating with the supplier.
  • Consider internal comms and press office involvement for clarity in any announcements.
  • Consider your legal reporting obligations.

These control and response steps reduce both the blast radius and your response time to a supplier breach!

It’s not about measuring and controlling everything. It’s about knowing which supplier relationships could affect processes you care about, reducing the likelihood, and ensuring you can react proportionally to maintain business continuity.

References:

[1] https://www.statista.com/statistics/1367208/us-annual-number-of-entities-impacted-supply-chain-attacks/

[2] https://www.gartner.com/en/cybersecurity/research/cybersecurity-business-value-benchmark