Whilst the risk of a supply chain compromise by a threat actor is not a new challenge, it has never been more important to focus resources on managing this risk. Organisations are increasingly dependent on managed services, third party technology providers, and many other types of suppliers. And while vulnerable supply chains impact all industries, if it occurs within the national security and defence sector it could have devastating consequences, endangering the lives of not only those working within the sector, but of civilians too.
A rapid increase in supply chain attacks prompted the National Cyber Security Centre (NCSC) to release new supply chain security guidance in recent years, setting out 12 Supply Chain Security Principles. The principles are divided into four separate stages focusing on understanding the risks, establishing control, checking your arrangement and continuous improvement.
In 2023 there were several high-profile supply chain breaches, most notably, the MOVEit vulnerability. At the time of writing, EMSISOFT (an anti-virus software distributer) have reported the running count of supply chain breaches as 2730 impacted organisations, affecting over 94 million individuals since late May 2023 when data was transferred from MOVEit.
So how do we approach the management of this ever-increasing risk?
We strongly believe that Supply Chain Security and Third-Party Risk Management (TPRM) is not solely a Security team’s risk to own or manage. Whilst your Security team will be a key stakeholder, supply chain risk is an organisation-wide responsibility.
Step one: Collaboration and close working relationships
Close collaborative relationships are essential across Security, Procurement, Legal, Data Protection, IT, Business Continuity, and IT Disaster Recovery teams.
Having all the right people on hand and aligned builds strength in numbers to raise awareness and highlight the importance of supply chain security.
Early this year, we started up a Third-Party Supplier Assurance Forum, bringing together business units across our organisation, subsidiaries, and joint ventures, to help define and direct our Third-Party Risk Management strategy. The forum has already facilitated several improvements within our policies and processes, ensuring that mitigation of risk remains high on the agenda across our organisations.
Step two: Identifying the risks
As supply chains continue to grow in complexity and number, it’s not always practical to focus attention on every single supplier. It’s more efficient to prioritise the suppliers who pose the greatest risk. It’s vital to know which suppliers have access to your most valuable assets and provide services that are essential to your organisation, as they have the potential to have the biggest impact should they be compromised or become unavailable. The NCSC and National Protective Security Authority (NPSA) offer useful advice on establishing “Impact Levels” or “Tiers” within your supply chain.
Onboarding assessments and supplier reviews will help to maintain your external certifications. However, they aren’t sufficient for complete protection of your most valuable assets. More organisations are turning to external tools and services to supplement their processes and strengthen their monitoring schedule.
Step three: Effective continuous monitoring
Effective continuous monitoring of large complex supply chains is a huge challenge.
It requires either considerable resource, and/or the use of a supporting management tool or service, which can be internally developed or externally procured. Running such a process without a tool or service, whilst still common, is declining due to the inefficiencies and size of supply chains. This approach often relies on ‘point in time’ (snap-shot) self-assessments by suppliers, however, whilst this may tick a compliance box, the accuracy and effectiveness of this type of process is questionable.
BlueVoyant recently published its Global Insights report, stating that 32% of the surveyed organisations in the UK are likely to be using a continuous monitoring solution, whilst 38% are likely to be using a security ratings solution, both higher than the global average. If you aren’t using these types of services or tools, or developing your own, there’s a risk of falling behind. It’s crucial to consider using these tools to ensure you’re fully prepared and ready to respond, so you can minimise the impact by identifying and addressing risks appropriately.
Step four: Ensuring readiness to respond
Being ready to respond is arguably the most important capability you can have at your disposal. This involves establishing resiliency, testing recovery plans with critical suppliers, and identifying concentration risk in your supply chain. Know your suppliers, know the services they provide, the level and method of access they have to your assets, the impact on your organisation or your clients, and know the appropriate point of contact for each of your suppliers.
A big challenge is expanding this information to your fourth- and fifth-party suppliers, but whatever you decide is the best approach, this information must be readily available and up to date if you are to respond quickly and effectively.
Building resilience in the face of supply chain threats
The growing size and complexity of supply chains, and increasing dependencies on third party services, combined with the capability of threat actors and targeted supplier attacks, means there is a much higher possibility of a supply chain attack.
Strong technical controls underpinned by strong policies and processes can play a part in reducing the likelihood and impact of a successful attack, but it’s crucial that you’re ready to respond and can do so quickly and effectively, therefore minimising impact.
If you’d like to discuss how we’re approaching the supply chain challenge at Sopra Steria, or discuss your own challenges reach out to us at support.supplychainsecurity.uk@soprasteria.com