How to Manage Supply Chain Risk

As the infamous saying goes amongst those working within cyber security – “you are only as strong as the weakest link in your supply chain”.

Supply chain attacks have impacted organisations of all sizes over the last few years, resulting in significant financial outlays as they attempt to rectify the situation. Two high-profile incidents you may have heard of are SolarWinds, and Log4j.

• SolarWind's IT monitoring system Orion, which is used by over 30,000 organisations, was compromised by hackers which allowed them to deliver backdoor malware via an Orion software update. This went undetected from September 2019 to December 2020, and enabled hackers to imitate victim's accounts and access system files.  Overall, 18,000 organisations installed the malicious Orion update including: Cisco, Deloitte, and Microsoft.
  
• At the end of 2021, Log4j (a Java based logging utility) fell victim to a vulnerability, Log4shell, that put millions of computers at risk. This vulnerability meant that attackers could break into systems, steal data, uncover logins and passwords, and unleash further malicious software.

Supply chain attacks like these can have devastating consequences for your business, and for many it is not always possible to recover. At the heart of these attacks, there is usually a lack of robust and resilient processes and security controls. Without these, you may find yourself at higher risk of a supply chain attack and subject to significant regulatory fines in the event of a data breach or loss of intellectual property. 

What is a Supplier Assurance Framework?

Supply chains are only increasing in size and complexity, which deepens the difficulties you may face in protecting against attackers looking to gain access to your network, systems, and information.

An essential ingredient in managing supply chain threats and risks is to develop and implement a supplier assurance framework. Such framework, if designed and followed correctly, provides you with a defined structure for evaluating and monitoring suppliers’ cyber security capabilities. By understanding where your supply chain risks may exist, preventative measures can be taken to mitigate them before they impact your organisation.

In the following section, we will discuss the key components of a well-designed supplier assurance framework.

How to Build a Supplier Assurance Framework

Every supplier assurance framework should follow a clearly defined structure. You can use the Deming Cycle to provide this structure, with each phase of the assurance process split across four stages: Plan, Do, Check, Act (PDCA).

Plan: During the planning stage, the foundations of the assurance framework must be developed properly to ensure that the framework achieves its intended outcome. Key activities to be completed during the planning stage should include:

• Determining which of your suppliers are the ‘crown jewels’. These are the suppliers which are most critical and/or high risk to your business based upon the services they provide and the type of sensitive information they have access to. Conducting assurance activities on these types of suppliers is of utmost importance to support the longevity of your organisation. The criticality of the supplier should influence the type of assurance activities required to be undertaken.
• Develop a supplier security requirements policy, and a procedure for conducting assurance reviews to promote consistency. The policy should define minimum security requirements each of your suppliers must comply with, and the procedure should define the steps involved in the assurance process, including how to prioritise suppliers based upon impact, risk, and value.
• Contractual clauses should be developed that reflect the minimum security requirements defined in the policy. It is important that all suppliers agree to these clauses before any agreement is formally made.

Do: During the doing stage, you should start to implement the plans and activities designed during the planning stage. This includes:

• Formally implementing the supplier security policy and procedure, and ensuring that all relevant stakeholders are made aware of the requirements set out. You should assign roles and responsibilities for supplier assurance at this stage.
• Providing training and awareness to all stakeholders who will be involved in the supplier assurance process to ensure that all steps involved are clearly understood and followed properly.
• Perform the assurance reviews on all relevant suppliers in line with the requirements set out in both the policy and the procedure.
• Information security should be embedded across the supplier management lifecycle. This includes requirements during the initial procurement and onboarding of suppliers, to the ongoing management, right the way through to the offboarding of any suppliers.

Check: Supplier assurance is not a once off activity. Continuous monitoring is essential to ensure that no new risks are introduced via your supply chain as time passes. During the checking phase, the following activities are key:

• Perform regular monitoring of key suppliers’ information security capabilities. This might be done on an annual basis to ensure that the suppliers' information security controls continue to reflect the minimum requirements of the business. Where gaps or new risks are identified, treatment plans must be put in place to minimise the likelihood of security incidents or disruptions occurring.
• Changes to the products or services provided by the supplier should also be closely monitored. The supplier contract should clearly define how changes are to be managed to reduce the potential impact on the organisation.
• Metrics including KPIs and KRIs should be defined and monitored to support the ongoing management of suppliers. These metrics should be collated on an ongoing basis and reported to senior management regularly.

Act: The final stage of the assurance framework focuses on continual improvement of the supplier assurance process. Key activities here should include:

• Continuously reviewing the supplier assurance framework and all supporting documentation to ensure they remain suitable and effective in managing supply chain risk within the organisation.
• Maintaining awareness of the evolving supply chain threats to ensure that there are sufficient security controls in place to protect your organisation, and that assurance activities undertaken reflect these ever changing threats.

Supply chain risk management is critically important for all organisations, regardless of size of complexity. By adopting a well-defined assurance framework, it will you in a much stronger position to reduce the likelihood of successful supply chain attacks and give senior management peace of mind that they have the correct processes in place to protect their key systems, applications, and information from attackers. The benefits of proper supplier assurance include risk reduction, improved information security, and better regulatory compliance.