SME Supply chain risk management: 4 steps to embrace
The SolarWinds supply chain cyberattack last year, thought to be carried out by Russian nation-state threat actors, made the headlines after it impacted U.S. Government departments. A total of 18,000 SolarWinds customers were targeted, and according to Microsoft’s U.S. Senate testimony, 80% of those were not government organizations. Whether going back to the 2013 heating and ventilation supplier compromise that pivoted to attack retailer Target, or most recently the Accellion enterprise content firewall compromise that impacted cloud security company Qualys, you generally only hear about supply chain attacks when big business is involved.
The truth, of course, is that SMBs are just as at risk as anyone else; at risk of operational disruption, reputational damage and regulatory compliance fines. If you’ve been paying attention, now is the time to start taking supply chain risk management seriously. With these attacks coming in myriad guises, from Trojanized software updates to third-party network compromises, the SMB attack surface has never been as broad as it is now. Which means the risks have never been higher. Doing nothing is not an option, not just in regulated industries but for any business that truly takes security seriously rather than that just being the post data breach PR mantra.
Of course, the very nature of supply chain risk is not straightforward to mitigate successfully. Understanding the cyber risks attached to not only the relationship you have with your suppliers, but that they have with theirs, is a big ask. A big ask, but one that must be undertaken in order to ensure the most resilient of security postures as far as supply chain attacks are concerned. Luckily, it doesn’t have to be an insurmountable one. The key to success sits with how you approach the problem: here are four important steps you need to embrace.
- Acknowledge the threat exists
Unfortunately, the mentality of we won’t get compromised tends to be pretty strong amongst many smaller enterprises. Sure, you may not be as profitable a target as the biggest organizations, but your data is still valuable. You may not be the primary target, but you could be collateral damage. You may not think of supply chain threats and ransomware in the same breath, but what if the latter leveraged the former? Could your business cope with a successful ransomware attack that includes data exfiltration, how much would that cost, for example. The potential exploit landscape within the supply chain is huge, and gets bigger the more links there are. Don’t underestimate the threat, own it.
- Know what needs protecting, and why
OK, so you acknowledge you might be at risk from a supply chain, now you need to properly understand which assets need protection and why. Think in terms of the networks, software and processes that could be accessed and the data that they connect to. Ensure that you have proper asset inventory systems in place, and keep these updated, so you know what needs protecting as part of your overall security posture. This can then be expanded downstream to include identifying the risk to your customers and upstream to your suppliers. Asset visibility is key, understand this and you’ve started your journey towards better risk management. You might not be able to control everything upstream, but knowing the risks allows you to exert better control where you can.
- Communication is key to building trust and mitigating risk
Talking to your suppliers about their security posture, and that of their suppliers, should be baked into any pre-contractual due diligence. You will never, realistically, be able to mitigate every risk as the number of third-parties increases exponentially along this road, but ensuring your suppliers know the security responsibilities you require contractually, and that those are passed on to their sub-contractors, is a good starting point. You can’t expect every supplier to always have the same level of security maturity as yourselves, but as long as your demands are reasonable, in security best practice terms, justifiable and, most importantly, deliverable, there should be no problem. The aforementioned up-to-date asset inventory, and identification of who touches what and where, makes tailoring your requirements to be proportionate to each supplier that much easier. Demanding unreasonable requirements of a supplier is a sure-fire way to devalue the bi-directional trust that’s at the heart of successful supply chain risk management.
- Monitor, improve and don’t forget you are also a link in this chain
Supply chain cyberattacks are just one area on your threat map, but shouldn’t be treated like an island. Keep on top of your risk monitoring beyond establishing your management framework; automated threat intelligence tools will help the smaller enterprise to spot risk indicators and act accordingly. And talking of islands, supply chain risk management itself should always be seen as part of an overall security strategy and all shareholders encouraged to contribute. This evolving and continuous process will help your business improve its security posture. Just don’t forget that supply chain risk management cannot be your primary focus, that needs to remain on getting the security basics right. You are also a link in the risk chain. Leaving vulnerabilities unpatched and a lack of proper cybersecurity awareness training will likely be a more common point of entry in any SME data breach. Get the basics right and mitigating the supply chain cyber risk will be a whole heap of beans easier and more effective for good measure.
Of course, putting all of this into action this may well sound somewhat daunting to the smaller business which doesn’t necessarily have the resources in place to throw at the problem. Employees with the necessary cybersecurity skillsets are in high demand and don’t come cheap. Nor, for that matter, do the technical resources in terms of infrastructure; and that’s all without taking the most precious resource time, into account. Luckily, IT budgets don’t have to be stretched to breaking point to address the supply chain cyber risk, although the answer appears a little counter-intuitive: get another third-party to handle it. Outsourcing to a specialist that has already made the necessary investments previously mentioned will cost a lot less, and reduce your exposure to risk, than taking a do it yourself approach if both finances and experience are in short supply.
ITEGRITI Guest Author: Davey Winder is a freelance technology journalist and a senior contributor to Forbes, as well as being contributing editor at PC Pro magazine since the first issue back in 1994. Davey was named ‘Cyber Writer’ of the year in the 2020 Security Serious Unsung Heroes awards.
This SMB Guide is part of a series to assist small and medium-sized businesses with their cybersecurity needs. You can read others in the series here:
- Cybersecurity Guide: The Role of a CISO
- Cybersecurity Guide: Security Awareness & Training
- Cybersecurity Guide: Asset Inventory
- Cybersecurity Guide: Asset Baselines, Hardening and Change Management
- Cybersecurity Guide: Vulnerability Management
- Cybersecurity Guide: Access & Account Management
- Cybersecurity Guide: Supply Chain Management/Third Party Vendors
- Cybersecurity Guide: Incident Management & Review
- Cybersecurity Guide: Information Management & Protection
- Cybersecurity Guide: Boundary Defense, Electronic & Physical Security