Analysis
How to Turn Your Supply Chain Into Your Biggest Security Enabler
Attacks on organisations’ supply chains - one of the weakest links in any security posture - are on the rise. These are often particularly devastating as the examples of SolarWinds, Log4J and most recently the MOVEit Transfer attacks have shown. Regulators and national security strategies are acutely aware of the dangers and have placed increased emphasis on making our supply chains more resilient.
Traditional approaches to third party risk management (TPRM), however, are broken and can’t get the job done. Right now, people need to tick their TPRM box. They need to demonstrate to their boards and regulators that they are doing their job when it comes to assessing the security of suppliers. But the way this is done at the moment is not actually helping anyone. Spreadsheets, questionnaires, tick-box governance do not prevent or help us respond to cyber attacks, and they are immensely time-consuming exercises. At best, they provide point-in-time snapshots of the security postures of individual suppliers, and even then, organisations hardly manage to assure more than a fraction of their immediate third parties.
To transcend TPRM and achieve meaningful supply chain security, new approaches are urgently needed. It is not about doing more, but about doing things differently, smarter and more efficiently, while at the same time reducing the resource burdens that current TPRM approaches impose. This article explains how this can be done. Risk Ledger provides a way to gain the assurance you need on your suppliers' security, whilst also building the foundations needed for a future detection & response system for supply chain attacks, and for a new approach that can harness the power of collective defence.
Taking a social network approach to supply chain risk management is our path to achieving these goals. Similar to a social network like LinkedIn, each organisation has a profile on Risk Ledger, which contains information about their business, their security controls and other relevant risk areas. This profile is then shared with their clients and customers.
Suppliers’ security profiles are built within a standardised framework that can be mapped to all major industry standards, such as ISO27002, NIST Cybersecurity Framework and NCSC’s CAF, so that suppliers maintain one single source of truth. Clients can set requirements against the framework, so they can compare suppliers against criteria which matter most to them. Suppliers use this platform to help implement and manage their own controls. Users from across the organisation (security, data protection, legal risk) can update and collaborate in real time on the security controls they are responsible for operating.
An organisation on the network may act as both a client and supplier, and have many connections in both directions. Because of these connections, the network can provide a unique visualisation of an organisations’ wider supply chain ecosystems and uncover interdependencies and risks past their immediate suppliers, into fourth, fifth, sixth and n-th parties, as well as map relationships and interdependencies. As the network grows, it provides a full map of organisations’ supply chains, enabling security teams to focus on the highest risks, whether that’s from an immediate supplier, or a concentration risk further down the chain.
This approach and the standardised assessment framework also allow for an enormous amount of useful data to be generated and enable the effective categorisation and risk scoring of suppliers through tags and policies that clients can set based on their unique requirements. This not only makes reporting easier and more meaningful. It also allows organisations to obtain crucial benchmarking data.
Moreover, a social network approach also comes in handy during times of crisis, for example when a new emerging threat, such as the attacks exploiting the MOVEit Transfer vulnerability, emerges. It often takes days, weeks, even months to figure out whether you're impacted by a supply chain incident, especially if the exposure is a few levels down in your supply chain. Our ability to provide visualisation into the full supply chain ecosystem puts us in a unique position to identify the potential blast radius of emerging threats and how risks and breaches might ripple up the chain and come to affect your organisation. With organisations voluntarily sharing data on whether they have been affected, whether they are investigating, remediating or have resolved any issues, clients can then choose to collaborate with potentially weak links in the network proactively to help bolster their defences to specific threats and incidents collectively.
From a supplier’s perspective, the network approach saves them a lot of time and effort. From now on, they only have to complete and keep-up-to-date one profile, and no longer have to complete hundreds of separate assessments. This allows them to focus more on actually hardening their security and remediating vulnerabilities, rather than on completing security questionnaires.
Moreover, this new approach, for the first time, enables the continuous monitoring of suppliers’ security postures. Organisations on Risk Ledger have access to an activity feed, providing up-to-date information on when there is any change in a suppliers’ security posture. This also makes the need for annual re-assessments a thing of the past, and means the data is more accurate (many clients reviewing the same data increases accountability), more comprehensive and more up-to-date.
Taking a social network approach to supply chain risk management gives rise to a new level of collaboration and communication, allowing clients and suppliers to work together to detect and respond to security threats before they become a problem. Most importantly, it transforms suppliers from one of the great security risks to an organisation, to one of its greatest security enablers.
This new approach lays the groundwork for a future of “Defend-as-One”, where network effects can be leveraged into a collective defence approach. No organisation is an island. They are intricately linked to other organisations, and the responsibility for preventing cyber attacks is inescapably shared by the entire supply chain ecosystem. Threat actors know this, and are taking advantage of the lesser protected links in that chain. By taking a more holistic view of supply chain security, we can collaborate closely with our community of supply chain partners to elevate our collective cyber security.
Right now each organisation is performing their own assessments on each individual supplier’s security controls, so there is a vast amount of duplicated effort across organisations when performing these reviews. By sharing security activity within their environments, and then collaborating on making the weakest nodes in the system stronger collectively, we can save a lot of time and resources. Even more importantly, it actually enhances the security of everyone.
Organisations should consider themselves as part of a wider network of defenders. When one node (organisation) experiences an attack, the entire network will react, learn, respond and increase in strength. Organisations with large security operations centres and strong expertise in hunting, detecting and responding to attacks must rally around their smaller partners and suppliers in order to protect the whole system. Connected organisations have a natural incentive to make sure there isn’t a breach within their ecosystem. When everyone is connected, an attack on one organisation is tantamount to an attack on every organisation, which means that looking out for each other can only be beneficial. And conversely, failing to collaborate can only be detrimental for everyone involved. When it comes to cyber security, organisations can only win when they play as a team.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
