Skip to the content

Only 13% of businesses review the risks posed by their immediate suppliers. Adam Gleeson, Vendor Alliance Manager at Chess, outlines the risks that organisations face from their supply chain and how to mitigate them. He covers:

Many organisations don't pay much attention to their supply chain. When we hear "supply chain," we often think of intricate systems moving things between warehouses. In the past, this wasn't far from the truth.

However, in today's digital business world, the supply chain has changed. The paper trail we used to associate with it is now digital. But what does that mean? For office workers, the supply chain might seem limited to companies providing office supplies or fixing printers, without directly accessing a company's systems. So, how does this relate to cybersecurity?

Understanding Why Supply Chain Security is Important

Google defines a supplier as "a person or organisation that provides something needed, like a product or service." If we think about any organisation we deal with digitally, like for invoices, software orders, or payroll, we start to see the need for cybersecurity.

Imagine if a supplier you rely on gets compromised by a hacker or scammer. Without your knowledge, they could turn from a trusted partner into someone looking to exploit your organisation for financial gain. How can you protect yourself from that?

When we think about organisations providing managed IT services, who might have direct control over our systems, we realise there might be no practical defence. Attackers could be inside your systems before you even know it, with high privileges to rampage across your environment doing whatever they like.

Solar Winds Attack

The danger is very real, and there have been multiple instances of Supply Chain Attacks. One notable incident occurred on December 13th, 2020, when attackers exploited a vulnerability in the SolarWinds RMM platform used for managing computers and servers. These attackers infiltrated the software staging areas and replaced legitimate SolarWinds software with a version containing a secret backdoor. Once this "Trojan Horse" version was installed on new systems, the attackers gained direct access. This caused significant damage to SolarWinds and affected over 250 organisations and their customers, leading to ransomware attacks, data breaches, and ransom demands.

This incident underscores why Supply Chain Security is essential in a Cyber Security strategy today. We must consider not only external threats but also hidden dangers from within or "behind" our IT support structures.

However, extreme cases like the SolarWinds attack are not the only types of Supply Chain threats SME businesses might face. Watering hole attacks, for example, are more common. They rely on compromising a service used by many, replacing legitimate software with something that lets attackers directly access infected computers.

Future Insight In Technology

Our biggest ever virtual conference. Every year we bring together industry leaders to discuss the future of work, technology, and business.

Register Now

What does Supply Chain Security mean?

Firstly, it means paying attention to whether our suppliers operate securely, avoid becoming easy targets, and understanding the risks they pose.

The level of supplier risk depends on how much they interact with your organisation digitally, the trust needed between organisations, and the data they hold or access. To minimise risks, you may need to consider ways to limit the damage if a supplier is compromised.

Benefits of strong supply chain processes include:

  • reducing the risk of cyberattacks
  • clarifying cybersecurity responsibilities
  • managing and understanding supplier-related risks
  • building better supplier relationships
  • demonstrating good supply chain security for potential customers
How do you implement Supply Chain Security?

Start by ensuring you don't duplicate the risk assessments you already perform with suppliers, such as financial checks. Assuming a supplier passes financially, you need to assess their cybersecurity attitude and measures. Typically, this involves a questionnaire to gather information about their cybersecurity practices.

While each organisation is unique, essential aspects to consider include perimeter security, anti-malware measures, data security, control over devices used by remote workers, email security, cybersecurity education for users, and managing software vulnerabilities. You should also ensure these measures stay up-to-date and not outdated.

When dealing with multiple suppliers and deep integrations, trust is crucial. It must be earned through demonstrated competency in cybersecurity.

Additionally, consider worst-case scenarios and protect your systems and data by limiting access and requiring supervision when necessary. This can be challenging, especially when suppliers need autonomous access to prevent issues from affecting your business.

There's no easy solution, but considering the example of SolarWinds, monitoring, detection, and response can mitigate Supply Chain risks. Having a third-party monitor can help intercept unauthorised activity before it becomes a major problem.

Recommended Content

Protect Against Phishing

Protect Against Phishing

Adam Gleeson, Cyber Security Vendor Alliance Manager at Chess, discusses how to protect against phishing by building security that works for your people.

Cyber Security Month in Review

Cyber Security Month in Review

Jack Smallpage, Information Security Officer at Chess, reviews the latest cyber security news and advises how to protect your data.

Adam Gleeson

Adam Gleeson

Adam Gleeson, Vendor Alliance Manager at Chess, has a passion for IT and cyber security. With over 15 years of experience in the industry, Adam's resume boasts a wealth of knowledge around keeping businesses cyber secure.

Speak to a Product Specialist

You can fill out the form and one of our product specialists will contact you shortly with more information.
To contact our Sales team directly, please call 0344 770 6000 and choose option 4.
Customer Service
For general queries or to report a non-urgent fault, please log a ticket on our customer portal using the email address associated with your account. Logging a ticket is quick and easy to do. Once you have logged your ticket, we will respond within 24 hours or your Service Level Agreement, whichever is quicker.
I agree for my information to be used for marketing communications.
Chess Privacy Notice

By submitting your personal information through this form, you consent to your information being processed in accordance with the Chess group privacy notice.