While your organization may invest significant resources into its IT security program, it can still be enormously challenging to secure your cyber supply chain against third-party data breaches, ransomware attacks, and other security risks. This task gets even more difficult as your supply chain becomes more complex or relies heavily on overseas partnerships.
How can you gain visibility into risks posed by the third, fourth and Nth parties in your extended supply chain, while ensuring that your suppliers have the security controls necessary to protect your business? This article will get you started by sharing some best practices for building a more effective and efficient cyber supply chain risk management (C-SCRM) program.
Cyber Supply Chain Risk Management (C-SCRM) is the process of identifying, analyzing and mitigating vulnerabilities, data exposures, and other security gaps that threaten an organization’s ability to deliver information technology (IT) or operational technology (OT) products and services.
Managing cyber risk in your supply chain requires not only securing your organization against direct attacks, but also mitigating the risk of third-party and Nth-party data breaches that could disrupt your business.
Supply chain risk is now a board-level concern for many organizations. This is no surprise, considering the following statistics from a recent Prevalent study:
An effective C-SCRM program can help your organization make informed decisions and select suppliers that take cybersecurity and compliance seriously.
Ransomware is malicious software that prevents access to compromised computer systems, encrypts files on the systems, or threatens the release of sensitive stolen data unless money is paid to the attacker. While ransomware has been around for decades, technological advances have enabled criminal actors to attain new levels of scale and sophistication. Instead of mainly targeting SMBs to extort small sums as they did in the past, attackers are now targeting large corporations that are linchpins of global supply chains.
It’s no surprise that ransomware has been a major news topic. One example related to C-SCRM is last year's Kaseya breach, which led to ransomware attacks against thousands of businesses through the company’s remote monitoring and management (RMM) tool.
Using software with known vulnerabilities or having poor visibility into a software vendor’s security practices can leave your organization vulnerable to significant disruptions, data breaches and downtime. Take for example the 2020 SolarWinds Breach, which left thousands of organizations and government entities exposed to malicious actors for months.
Physical and virtual IT access is one of the most obvious channels by supply chain compromises can occur. Numerous companies have been hacked as a result of contractors that initially appeared to have a low levels of profiled risk. However, because these contractors had physical access to facilities and IT systems, malicious actors were able to leverage them as trojan horses to gain access to enterprise clients.
In many cases, cybercriminals don’t directly steal data when they exploit a company’s email accounts or networks. Instead, they sell compromised usernames and passwords on the dark web for Bitcoin or other cryptocurrency. This reduces risk for the criminal since they can immediately monetize the stolen credentials without the work of breaking into individual accounts.
Recently, ransomware groups operating on the dark web have begun posting information about their victims publicly to pressure the victim organization to pay a ransom. Monitoring these forums and blogs can provide early warning of potential data breaches that may affect data shared throughout your supply chain.
According to a recent Prevalent study, 55% of organizations reported a compliance violation related to a lack of third-party oversight. Organizations are increasingly expected to not only secure personally identifiable information (PII) within their own organization, but also proactively ensure that third parties are securing customer data and other sensitive information. Applicable regulations include CCPA, GDPR, CMMC, PCI DSS and several others.
The Supply Chain Resilience Toolkit
Based on ISO 22301 standard practices, the Supply Chain Resilience Toolkit provides instant access to expert guidance, customizable templates, and structured worksheets.
It’s time-consuming enough to source solutions that fit your organization’s functional and business requirements. Evaluating a potential supplier’s cybersecurity posture introduces additional complexity and uncertainty into the sourcing and selection process.
That’s why it’s essential to start your relationship with a potential supplier by conducting pre-contract due diligence in line with your RFIs, RFPs and other RFx processes. Cybersecurity insights to seek at this early stage of the supplier relationship should include:
Incorporating these insights into your RFx process will ensure not only that a selected solution is fit for purpose, but also that the supplier behind the solution doesn’t expose your organization to unnecessary risk.
Many organizations fail to consider that they may be able to mandate cybersecurity controls in contracts. SLAs and other contractual agreements can require third and fourth parties to implement or maintain cybersecurity controls to protect your organization's sensitive data.
Understanding the different types of supplier risk can enable you to make data-based decisions on how to apply vendor risk questionnaires, as well as to accurately compare suppliers based on measurable risk. At Prevalent, we categorize supplier risk into three types:
Vendor risk questionnaires can provide visibility into a supplier’s cyber security controls and help to avoid compliance violations. You can dramatically speed the supplier due diligence process by tailoring your questionnaires according to inherent risk and mapping answers to cybersecurity regulations applicable to your organization.
You should also consider segmenting questionnaires based on industry, service level, and/or level of system access. For instance, a software vendor might require a substantially different questionnaire than an onsite HVAC contractor. Effective use of vendor risk questionnaires can simplify compliance, streamline vendor onboarding, and provide visibility into the extended supply chain.
Using a third-party risk management platform can help to automate the process and reduce the time required to assess suppliers. In addition, subscribing to a vendor risk intelligence network is a cost-effective way to gain access to thousands of already-completed assessments and add scale to sourcing, selection, onboarding and inherent risk scoring.
Bonus Tip: When designing your vendor risk assessment questionnaires, include questions about fourth and Nth parties to gain visibility into risks deeper into the supply chain. Even if your third party has sound cybersecurity controls, one of its vendors could still trigger a data breach that ultimately impacts your organization.
Practicing continuous third-party monitoring can help you to identify new vulnerabilities, data breaches and other security exposures affecting suppliers. Monitoring enables you to stay on top of risks that may emerge between periodic, questionnaire-based assessments. A strong cyber risk monitoring solution can provide intelligence from criminal forums, onion pages, dark web special access forums, threat feeds, paste sites, security communities, code repositories, vulnerability databases, and other sources.
In addition to providing early warning of potential incidents that could impact your organization, continuous monitoring can validate whether the controls reported in a supplier’s assessment responses are in place and functioning as intended.
Unlike with physical goods, it can be difficult to track how your organization's information is stored and shared throughout your extended supply chain. Each organization in your cyber supply chain likely works with dozens, or even hundreds of software companies, outsourced IT contractors, and other third parties – several of which could have access to your company's information. The last thing that a CISO or CIO wants to hear is that the organization has been exposed to a data breach because of an Nth-party vendor's negligence.
Below are a few best practices you can use when evaluating and mitigating the fourth-party risk.
Building an effective C-SCRM program requires prioritizing which vendor risk to focus on. The average organization works with innumerable third, fourth and Nth parties. Finding every risk in the extended supply chain of each vendor is impossible. When working to get visibility into your fourth- and Nth-party cyber supply chain, start by focusing on the most important vendors based on their inherent risk scores. When prioritizing, consider:
Building a comprehensive map of your supply chain, complete with dependencies and risk tiering, can enable you to get the visibility you need to make effective risk mitigation decisions. First, you need to ensure that you are gathering the necessary data. Questions regarding fourth and Nth parties in your extended supply chain should be standard on all vendor risk assessment questionnaires.
Once you have a good understanding of your third- and fourth-party ecosystem, you can identify vendors that may present single points of failure or unacceptable levels of information security risk. Here are some remediation suggestions if a fourth or Nth party is deemed to be high-risk:
Risks are constantly emerging and evolving, so limiting critical suppliers to a single, point-in-time risk assessment is not enough. Be sure to reassess risk at multiple points throughout the lifecycle of the contract to ensure that residual risk hasn’t risen beyond acceptable levels. Here are some questions to consider:
Premeditatio malorum – Latin for “the premeditation of evils and troubles that might lie ahead.” Or, to put it more plainly – plan for the worst! Unwanted supplier cyber events will happen. However, your organization’s level of preparation for those events can mean the difference between a severe disruption and a mild disturbance.
Effective incident management (IM) and C-SCRM go hand-in-hand. For example, identifying your third, fourth and Nth parties enables effective incident management – considering as many as half of all incidents originate with vendors. Supplier and subcontractor contracts need to include IM/breach notification requirements within a fixed timeframe (e.g., 24 hours) after a major incident is identified. Validating your supplier IM processes and contacts, along with periodic testing, can help to ensure operational readiness to respond to and resolve incidents.
Many companies spend significant time on vendor due diligence, risk questionnaires, and mapping compliance requirements but fail to plan for the end of the relationship – when many security exposures occur. That’s why vendor offboarding is just as important as vendor onboarding. Failure to successfully offboard vendors and ensure that sensitive data has been destroyed and that IT access has been revoked can result in:
Free Supplier Risk Monitoring Report
Get a complimentary Prevalent Vendor Threat Monitor (VTM) report for your organization or a third party of your choice.
There are several cyber supply chain risk management resources that you can look to when building or evaluating your program. Prominent resources include those published by the National Institute of Standards and Technology (NIST) and other government agencies, regulatory bodies, and private industry groups. Here are a few useful resources:
NIST SP 800-161 is a cyber supply chain risk management framework that can help your organization build and mature its C-SCRM program. NIST 800-161provides detailed guidance on how to incorporate a C-SCRM program into your broader enterprise risk management strategy and covers critical success factors for building an effective C-SCRM program. NIST 800-161 controls are broken into 20 families ranging from access control to incident and response.
Appendix A of NIST SP 800-161 Rev 1 includes a risk exposure framework with detailed guidance for identifying potential Supply Chain Threat Scenarios. NIST defines a threat scenario as “a set of discrete threat events associated with a specific potential or identified existing threat source or multiple threat sources, partially ordered in time.” NIST’s Risk Exposure Framework enables you to identify and assign risk to various supply chain threat scenarios, and to incorporate these findings in your broader third-party risk assessment approach.
Appendix D of NIST 800-161 r1 provides several templates for documenting your C-SCRM program, including implementation plans, compliance initiatives, strategic objectives, roles and responsibilities, and implementation milestones. These templates are invaluable for outlining a new C-SCRM program or enhancing your existing program with supporting documentation.
NIST published its Software Security Supply Chain Guidance in response to the requirements of Executive Order (EO) 14028 Section 4E on Improving the Nation’s Cybersecurity. The document is geared towards federal agencies, but many of the same practices can be employed by corporations seeking to mitigate cyber risks in their extended supply chains.
Security Measures for EO Critical Software is another NIST document created in response to Executive Order 14028. NIST defines EO critical software as:
… any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:
The Security Measures document is intended principally for federal agencies, but it can easily be reused by private-sector entities. The document identifies software categories that should be considered “EO Critical,” which can help you to flag potentially high-risk suppliers during the profiling and tiering stage.
This NIST document lays out specific guidelines for federal agencies to verify the security of software being used. This includes the following verification techniques that should form the basis for identifying risks:
The U.S. Department of Health and Human Services published a presentation on maturing a C-SCRM program. The presentation provides a high-level overview of C-SCRM best practices based on NIST and covers specific controls and control families that should be implemented as part of a holistic C-SCRM program.
Third-party cyber risk is growing exponentially. Prevalent provides an easy-to-use platform that enables you to automate supplier risk assessment questionnaires, assign risk scores to suppliers, monitor risk and changes over time, and manage and report on supplier risk. Using a dedicated TPRM platform can automate the supplier risk management lifecycle and enable your team to focus on reducing organizational risk. To see how Prevalent can help you manage supply chain risk, request a demo today.