Adam Gleeson, Vendor Alliance Manager at Chess, has a passion for IT and cyber security. With over 15 years of experience in the industry, Adam's resume boasts a wealth of knowledge around keeping businesses cyber secure.
Only 13% of businesses review the risks posed by their immediate suppliers. Adam Gleeson, Vendor Alliance Manager at Chess, outlines the risks that organisations face from their supply chain and how to mitigate them. He covers:
- Understanding the importance of securing your supply chain >
- What is supply chain security?
- Implementing supply chain security >
Many organisations don't pay much attention to their supply chain. When we hear "supply chain," we often think of intricate systems moving things between warehouses. In the past, this wasn't far from the truth.
However, in today's digital business world, the supply chain has changed. The paper trail we used to associate with it is now digital. But what does that mean? For office workers, the supply chain might seem limited to companies providing office supplies or fixing printers, without directly accessing a company's systems. So, how does this relate to cybersecurity?
Understanding Why Supply Chain Security is Important
Google defines a supplier as "a person or organisation that provides something needed, like a product or service." If we think about any organisation we deal with digitally, like for invoices, software orders, or payroll, we start to see the need for cybersecurity.
Imagine if a supplier you rely on gets compromised by a hacker or scammer. Without your knowledge, they could turn from a trusted partner into someone looking to exploit your organisation for financial gain. How can you protect yourself from that?
When we think about organisations providing managed IT services, who might have direct control over our systems, we realise there might be no practical defence. Attackers could be inside your systems before you even know it, with high privileges to rampage across your environment doing whatever they like.
Solar Winds Attack
The danger is very real, and there have been multiple instances of Supply Chain Attacks. One notable incident occurred on December 13th, 2020, when attackers exploited a vulnerability in the SolarWinds RMM platform used for managing computers and servers. These attackers infiltrated the software staging areas and replaced legitimate SolarWinds software with a version containing a secret backdoor. Once this "Trojan Horse" version was installed on new systems, the attackers gained direct access. This caused significant damage to SolarWinds and affected over 250 organisations and their customers, leading to ransomware attacks, data breaches, and ransom demands.
This incident underscores why Supply Chain Security is essential in a Cyber Security strategy today. We must consider not only external threats but also hidden dangers from within or "behind" our IT support structures.
However, extreme cases like the SolarWinds attack are not the only types of Supply Chain threats SME businesses might face. Watering hole attacks, for example, are more common. They rely on compromising a service used by many, replacing legitimate software with something that lets attackers directly access infected computers.
Future Insight In Technology
Our biggest ever virtual conference. Every year we bring together industry leaders to discuss the future of work, technology, and business.
What does Supply Chain Security mean?
Firstly, it means paying attention to whether our suppliers operate securely, avoid becoming easy targets, and understanding the risks they pose.
The level of supplier risk depends on how much they interact with your organisation digitally, the trust needed between organisations, and the data they hold or access. To minimise risks, you may need to consider ways to limit the damage if a supplier is compromised.
Benefits of strong supply chain processes include:
- reducing the risk of cyberattacks
- clarifying cybersecurity responsibilities
- managing and understanding supplier-related risks
- building better supplier relationships
- demonstrating good supply chain security for potential customers
How do you implement Supply Chain Security?
Start by ensuring you don't duplicate the risk assessments you already perform with suppliers, such as financial checks. Assuming a supplier passes financially, you need to assess their cybersecurity attitude and measures. Typically, this involves a questionnaire to gather information about their cybersecurity practices.
While each organisation is unique, essential aspects to consider include perimeter security, anti-malware measures, data security, control over devices used by remote workers, email security, cybersecurity education for users, and managing software vulnerabilities. You should also ensure these measures stay up-to-date and not outdated.
When dealing with multiple suppliers and deep integrations, trust is crucial. It must be earned through demonstrated competency in cybersecurity.
Additionally, consider worst-case scenarios and protect your systems and data by limiting access and requiring supervision when necessary. This can be challenging, especially when suppliers need autonomous access to prevent issues from affecting your business.
There's no easy solution, but considering the example of SolarWinds, monitoring, detection, and response can mitigate Supply Chain risks. Having a third-party monitor can help intercept unauthorised activity before it becomes a major problem.
Protect Against Phishing
Adam Gleeson, Cyber Security Vendor Alliance Manager at Chess, discusses how to protect against phishing by building security that works for your people.
Cyber Security Month in Review
Jack Smallpage, Information Security Officer at Chess, reviews the latest cyber security news and advises how to protect your data.