British Air, the BBC, British pharmaceutical company Boots, and Irish airline Aer Lingus all suffered a recent data breach due to a zero-day vulnerability that allows escalated privileges and unauthorized access to corporate data. What did these organizations all have in common? They all used Zellis, a third-party payments company, along with the MOVETit transfer service.
The rise of third-party breaches has left thousands of companies vulnerable to sensitive data leakage, highlighting the importance of securing their digital supply chains.
What is Software Supply Chain Security?
Software supply chain security is the process of assessing, evaluating and mitigating the physical and digital risks in an organization’s supply chain. Physical threats encompass risks that include natural disasters, floods, and even terrorism. In the past, physical security was the main focus of supply chain security. Today, supply chain security risk management focuses primarily on cyber threats as they pose greater risks. Development and security teams responsible for securing the software supply chain must develop security risk management principles that protect against the misuse or unauthorized access of critical data, financial data, intellectual property, or exposure to the company’s most sensitive data.
What is the NCSC’s Supply Chain Security Guidance All About?
In response to a rise in supply chain attacks, the UK’s National Cyber Security Centre has released new guidance on supply chain security. The guidance is designed to help medium and large organizations effectively evaluate the cyber risks associated with their suppliers, identify weaknesses, develop appropriate mitigation responses, and boost operational resilience.
Although the guidance was published in collaboration with the Cross-Market Operational Resilience Group (CMORG), which focuses on improving operational resilience in the financial sector, the advice applies to organizations in any industry.
The NCSC guidance is called “How to assess and gain confidence in your supply chain security”. It provides practical steps organizations can take to more accurately assess the cybersecurity posture of their supply chains.
Specifically, it:
- Describes typical vendor relationships, as well as potential ways organizations become exposed to threats and attacks via these relationships and the supply chain.
- Defines expected outcomes and concrete steps to help businesses identify gaps in their approach to securing their supply chain.
- Answers common questions about supply chain security.
- Supplements the NCSC’s 12 Supply Chain Principles of 2020.
Why Now?
Thanks to the digital and interconnected nature of business today, the digital supply chain has become an easy point of entry for cybercriminals, who use methods like malware, social engineering, and brute-force computing to steal customer data and gain access to internal networks. Two-thirds of breaches are a result of exploited vulnerabilities within third parties. Despite this increasing trend, most companies are unprepared to protect their supply chains and have little means of defense.
Recent government data shows that only 13% of businesses have processes in place for reviewing cybersecurity risk imposed by their immediate suppliers. However, only 7% evaluate the risk for their entire supply chain of third-party vendors, including contractors, parties, suppliers and partners. Inadequate supply chain security can lead to a breach, which, according to IBM, costs a record high of $4.35 million on average.
Businesses’ vast unpreparedness, combined with rising threats on the supply chain, are the key factors that prompted the NCSC to release its latest guidance.
How is the NCSC Guidance and Third-Party Security Connected?
Third-party security is integral to protecting the supply chain, and the entire organization at large.
All of an organization’s external vendors — including software and hardware suppliers, contractors, and agencies — make up its supply chain. And, as we mentioned above, cybercriminals know that vendors that provide a product or service to a larger enterprise are often more vulnerable than the enterprise itself. As the supply chain increases in size and connectivity, thanks to API integrations and the like, hackers are finding it easier to infiltrate the target organization’s systems and data via third-party vendors.
With the NCSC guidance, organizations can gain greater control over their supply chain attack surface by understanding how to identify and mitigate vulnerabilities within third-party suppliers.
How to Put the NCSC Guidance Into Action
Here are seven steps for putting the NCSC guidance into practice in your organization.
Step 1: Map your third-party vendors
The first step is identifying and mapping the critical assets in your organization that need to be prioritized and protected (i.e. your “crown jewels”). Among other needs, you’ll want to create security profiles for each supplier, define minimum security requirements for each security profile, and create a standard set of contractual clauses that cover a variety of incident scenarios.
Step 2: Set security standards for your suppliers
Next, you’ll want to clearly define security standards that each of your third-party vendors needs to adhere to. These should include internal security policies, such as mandatory security training for employees; security maintenance protocols for the product itself; and standards for managing vendors’ third-party risk (i.e., your fourth parties).
Step 3: Ensure vendor contracts align with your security standards
Outlining security standards in your third-party contracts allows you to enforce compliance with these standards as a condition of doing business. This, in turn, gives suppliers extra motivation to ensure they are fulfilling their obligations. Additionally, you’ll want to build contracts that support your right to audit vendors with questionnaires and require them to do the same with their third parties.
With Panorays’ automated, easy-to-customize security questionnaires, you can easily verify that suppliers in your supply chain are in alignment with your company’s security policies, regulations and risk appetite — something a simple security rating service cannot do.
Step 4: Assess your security processes and vendor risk
Next, you’ll want to start assessing your third-party risk. First, you should analyze your current approaches to cybersecurity risk management, such as your organization’s processes for evaluating risk, key security stakeholders and any existing gaps. This will give you a picture of your ability to accurately identify and address risk. From there, it’s time to start assessing risk within your existing contracts.
Consider a robust TRPM solution that can help you evaluate both your cyber risk and the suppliers in your supply chain by performing automated attack surface assessments. These advanced solutions allow your organization to first identify critical assets and their cyber risk — enabling you to prioritize how you address them.
Step 5: Remediate vulnerabilities
After assessing third-party risk, you should begin working with vendors to remediate the vulnerabilities that are brought to light. This is essential to minimizing supply chain risk and improving your risk posture.
Platforms such as Panorays continuously monitor your third parties and alerts you of any security changes or vulnerabilities. When this occurs, the platform automatically prioritizes vulnerabilities according to the vendor’s business criticality and severity of risk, so you can focus on mitigating the most critical threats.
Step 6: Focus on continuous improvement
Maintaining a strong and collaborative relationship with your vendors is the key to continuous improvement. Routine communication helps both sides stay aware of evolving threats, stay up to date on security processes and meet high-security requirements.
Step 7: Build trust with your vendors
Trust is an essential aspect of supply chain security. With open communication and increased transparency, trust will develop naturally. With Panorays, all communication and information related to vendor security risk management are centralized in one platform, which facilitates easier sharing, transparency and collaboration between your company and its suppliers.
Best Practices for Defending Against Software Supply Chain Attacks
Software supply chain attacks can be devastating for organizations. They can lead to reputational and financial damage, loss of customer trust and regulatory fines. Guarding against these attacks requires an in-depth defense strategy.
Best practices include:
- Assess your supply chain. Securing software development starts with knowing where your software code originates, who your suppliers are, and which third parties are using what code. An SBOM, or a software bill of materials that lists the software components in your digital supply chain together with software composition analysis, can help facilitate this.
- Monitor your third parties. With organizations relying increasingly on third-party software – and these parties relying on other third parties – software supply chains are more dynamic than ever. Third-party vendor risk management is essential for proactively defending against attacks.
- Secure software development. Strategies such as code review and continuous security testing look for vulnerabilities and security flaws in software. Shift left security also ensures software is secure at an earlier stage of the software development lifecycle.
How Panorays Can Improve Your Software Supply Chain Security
The Panorays platform delivers full visibility into your extended digital supply chain, allowing you to evaluate risks of third, fourth, and n-party suppliers so that you can stay ahead of supply chain attacks and other security risks. In addition, its Risk Insights and Response Portal delivers alerts of third-party data breaches and vulnerabilities so that you can immediately send out a customized security questionnaire to evaluate the security posture of third parties related to the incident. You can also use these security questionnaires proactively, as a tool for continuous cybersecurity assessment.
Learn more about how you can gain visibility and control over your digital supply chain with Extended Attack Surface Monitoring.
FAQs
Supply chain security is the supply chain management related to third parties, partners, external contractors, vendors and suppliers. It refers to both physical and software supply chain security. However, modern software relies heavily on third-party vendors in addition to open-source code and has many vulnerabilities. Supply chain attackers are aware of both these dependencies and vulnerabilities and do their best to attempt to exploit them, gaining access to sensitive data, critical systems, and security controls.
Organizations can ensure supply chain security in several ways. First, they can promote secure software development throughout each stage of the software lifecycle. Second, they can monitor third parties for vulnerabilities or potential security incidents that would impact their organization, implementing a vendor risk management program to continually assess the security posture of their third parties. Finally, they can assess their software supply chain security through the use of SBOMs, which list the components of software and their origin.
Supply chain security risks include both physical and cybersecurity risks. Physical risks include inventory theft, piracy, and terrorism caused by either external or insider threats. Cyber risks include data theft, the exposure of sensitive information such as intellectual property, company secrets, or personal information of users, and the disruption of services. Other cyber risks include ransomware attacks, supply chain fraud and other security breaches. Supply chain attacks also result in fines for non-compliance and are especially damaging in highly regulated industries such as finance and healthcare.