Supply chain attacks are on the increase. The SANS Institutes supply chain security webcast states that as of today there is a 70% chance that a cyber security incident will be caused by an organisation’s suppliers and by 2025, Gartner predicts 45% of organisations worldwide will have experienced attacks on their software supply chains (a three-fold increase from 2021). There’s already evidence this is happening, with supply chain attacks up 633% and surpassing the number of malware-based attacks by 40% in 2022.
We’ve witnessed the catastrophic impact these can have and the vast number of victims they can compromise, from the MOVEit exploit to the Log4j vulnerability and the SolarWinds attack and there’s no doubt that the success of such exploits is motivating threat actors to invest time and effort into supply chain attacks. But the reason for the increase isn’t just that attackers are upping their game; businesses are also complicit through their inertia.
According to the Cyber Security Breaches Survey 2023, just over one in ten review the risks posed by their immediate suppliers (13%), and the proportion for the wider supply chain is just 8%. Another government sponsored report, the Cybersecurity Longitudinal Survey Wave 2 found fewer than three in ten businesses (26%) have formally addressed the potential cyber security risks associated with their suppliers or partner organisations. So why aren’t organisations doing more?
What’s stopping us from assessing suppliers?
Barriers to undertaking a review included lack of time and money cited by 32% in the Breaches survey followed by an inability to obtain the requisite information from suppliers (31%), not knowing what checks to carry out (25%), not prioritising the review (25%), lacking the skills to do so (18%) and not knowing which suppliers to check (13%).
It turned out that many of those who did conduct reviews did so because they came under pressure from clients to meet contractual or compliance requirements, or auditors when internal or external cyber security audits flagged the issue. Others did so in reaction to news of attacks on their supply chains via their customers. Thankfully, there were also those that took proactive action, largely in response to information and guidance from the NCSC which issued new guidance on supply chain security last October.
But what about after the supplier is engaged? The picture the report paints for post-contractual monitoring is a worrying one. Many said the business then simply had to trust the supplier and getting information out of them post-procurement was extremely difficult. As a result, few were confident that the supplier would willingly disclose a cyber incident.
Yet monitoring suppliers undoubtedly pays dividends. It ensures the business can meet its compliance requirements, the terms of any cyber insurance policy, and is key to the business recouping costs in the event of a breach of the service level agreement (SLA). The problem is that there’s no systematic way to collect the necessary data from suppliers today that doesn’t rely on goodwill and potentially jeopardise the relationship.
How to overcome the inertia?
To overcome this, the business should seek to build in standard contract clauses that ensure the information required is requested and evidence obtained that the supplier meets minimum security requirements. As such, any organisation that cannot or will not provide that information should be excluded. That information then needs be made accessible to those that need it within the business beyond procurement to those overseeing that element of the business and to the cybersecurity and operational security teams.
Communication is key to good supply chain security, so it pays to provide your suppliers with information on your expectations, when and if they can sub-contract and the notification procedure for doing so. The business needs to set out appropriate minimum security requirements but these may vary depending on the depth of the relationship and the maturity of the supplier’s security, for instance. All of this should be documented and included in the contract as part of the SLA.
In the event of a compromise, the business needs to be prepared to help support recovery efforts. It also pays to have in place playbooks to deal with different attack scenarios and to ensure the breach is communicated to the relevant persons and any third parties including insurers and regulators. Incident response playbooks need to be based on actual supply chain threats and there’s a growing network of information here.
In the UK there’s the Connect Inform Share Protect (CISP) initiative which sees cybersecurity threat intel shared by cyber professionals which is free to join and backed by the NCSC. And earlier this year we saw the launch of the Open Software Supply Chain Attack Reference (OSC&R),a matrix for software supply chain which takes a similar approach to MITRE ATT&CK framework by mapping existing threats to entire supply chains. It’s on GitHub and anyone can contribute, ensuring it’s a living document that can be used by the security team to build out a supply chain risk management (SCRM) programme, of which cybersecurity is a part.
It’s only by systematically implementing the requirements pertaining to a robust supply chain assessment that a minimum standard can be set and channels of communication and response created that we can hope to improve supply chain security. Businesses must move away from the notion of upsetting the apple cart and firmly set out their expectations of suppliers if we are to stand any hope of fighting back against these attacks that will otherwise continue to significantly affect companies. But they themselves also need to understand the risks, set out and document expectations, be prepared to turn away those that won’t or can’t provide evidence that they meet them, and step up to help remediate issues if an attack occurs. The responsibility for securing the chain lies with both parties.