Supply-Chain series: Part 3 of 4
Recent events may have turned up the heat on supply-chain security, however from a Government standpoint, it has been a focus for some time.
As long ago as 2014, the UK Government was keen to mandate that companies take the cyber security risk posed by third-parties seriously.
From October 1, it stated every supplier should meet the then newly in place Cyber Essentials certification. Developed in partnership with the private sector, this standard outlined a set of 5 critical controls which could help protect against the largest threats. These are boundary firewalls, Internet gateways; secure configuration; access control; malware protection; and security software patch management.
Since launch, Cyber Essentials has proven a useful tool for large organisations looking to do business with smaller providers. By ensuring that the third-parties in their supply chain are accredited at point of engagement, large organisations reduce the risk presented by this joint attack surface.
The scheme has, however, not been without criticism. Before a recent overhaul alongside IASME, Cyber Essentials was seen as being a somewhat confusing process for small businesses to run through, as well as a plethora of suppliers giving mixed messages.
For mature organisations, the NCSC has proposed a series of 12 principles for companies looking to achieve greater visibility of the risk presented by the supply chain.
The guidance is divided into four constituent parts, designed to make it easier to understand.
The first, entitled ‘understand the risk’ encourages companies to run a simple audit of their exposure in the supply chain. This is a good practice for any company starting out on defining such risk.
Thinking like an attacker is important here. First, understand what information assets you will be sharing with suppliers and how they will be protected, by people, process and technology.
The next step, according to the NCSC, is to build a good understanding of what your suppliers’ security looks like.
In the first instance, this means knowing who they are. This sounds obvious, however, organisations with large supply chains sometimes have thousands of suppliers, not to mention sub-contractors, who should also be taken into account.
Once you have a database of suppliers, the NCSC says understanding how far advanced their current security arrangements are is important.
Short of asking each supplier to list what countermeasures and controls they have in place, this is now something which can be understood by using a platform that makes it simple to visualise their attack surface to understand the simple risk mitigation steps which can be taken. Traditionally, this would have meant extensive human research and, when carried out across a whole supplier base, would have proven expensive.
However, through the power of automation, a large organisation with thousands of suppliers can easily understand the attack surface they share with those who supply them and, just as importantly, mitigate the risks to data, reputation and core IP.