In response to a rise in supply chain attacks, the UK’s National Cyber Security Centre has released new guidance on supply chain security.
The guidance is designed to help medium and large organizations effectively evaluate the cyber risks associated with their suppliers, identify weaknesses, develop appropriate mitigation responses, and boost operational resilience.
Who do the NCSC’s guidelines apply to, what do businesses need to know about it, and how can they put it into action? We’ll cover these questions and more in this article.
What is the NCSC’s Supply Chain Security Guidance All About?
Although the guidance was published in collaboration with the Cross Market Operational Resilience Group (CMORG), which focuses on improving operational resilience in the financial sector, the advice is applicable for organizations in any industry.
The NCSC guidance is called “How to assess and gain confidence in your supply chain security”. It provides practical steps organizations can take to more accurately assess their cybersecurity posture in their supply chains. Specifically, it:
- Describes typical vendor relationships, as well as potential ways organizations become exposed to threats and attacks via these relationships and the supply chain
- Defines expected outcomes and concrete steps to help businesses identify gaps in their approach to securing their supply chain
- Answers common questions about supply chain security
- Supplements the NCSC’s 12 Supply Chain Principles of 2020
Thanks to the digital and interconnected nature of business today, the supply chain has become an easy point of entry for cybercriminals, who use methods like malware, social engineering, and brute force computing to steal customer data and gain access to internal networks. In fact, two-thirds of breaches are a result of exploited vulnerabilities within third parties.
Despite this increasing trend, most companies are unprepared to protect their supply chains, and have little means of defense.
Recent government data shows that only 13% of businesses have processes in place for reviewing cybersecurity risk imposed by their immediate suppliers, while just 7% evaluate risk for the full ranks of their third-party vendors. Inadequate supply chain security can lead to a breach, which, according to IBM, costs a record high of $4.35 million on average.
Businesses’ vast unpreparedness, combined with rising threats on the supply chain, are the key factors that prompted the NCSC to release its latest guidance.
How is the NCSC Guidance and Third-Party Security Connected?
Third-party security is integral to protecting the supply chain, and the entire organization at large.
All of an organizations’ external vendors — including software and hardware suppliers, contractors, and agencies — make up its supply chain. And, as we mentioned above, cybercriminals know that vendors that provide a product or service to a larger enterprise are often more vulnerable than the enterprise itself. As the supply chain increases in size and connectivity, thanks to API integrations and the like, hackers are finding it easier to infiltrate the target organization’s systems and data via third-party vendors.
With the NCSC guidance, organizations can gain greater control over their supply chain attack surface by understanding how to identify and mitigate vulnerabilities within third-party suppliers.
How to Put the NCSC Guidance Into Action
Here are seven steps for putting the NCSC guidance into practice in your organization.
Step 1: Map your third-party vendors
The first step is identifying and mapping the critical assets in your organization that need to be prioritized and protected the most important (i.e. your “crown jewels”). Among other needs, you’ll want to create security profiles for each supplier, define minimum security requirements for each security profile, and create a standard set of contractual clauses that cover a variety of incident scenarios.
Step 2: Set security standards for your suppliers
Next, you’ll want to clearly define security standards that each of your third-party vendors need to adhere to. These should include internal security policies, such as mandatory security training for employees; security maintenance protocols for the product itself; and standards for managing vendors’ third-party risk (i.e., your fourth parties).
Step 3: Ensure vendor contracts align with your security standards
Outlining security standards in your third-party contracts allows you to enforce compliance with these standards as a condition of doing business. This, in turn, gives suppliers extra motivation to ensure they are fulfilling their obligations. Additionally, you’ll want to build contracts that support your right to audit vendors with questionnaires, and require them to do the same with their third parties.
With Panorays’ automated, easy-to-customize security questionnaires, you can easily verify that suppliers in your supply chain are in alignment with your company’s security policies, regulations and risk appetite — something a simple security ratings service cannot do.
Step 4: Assess your security processes and vendor risk
Next, you’ll want to start assessing your third-party risk. First, you should analyze your current approach to cybersecurity risk management, such as your organization’s processes for evaluating risk, key security stakeholders and any existing gaps. This will give you a picture of your ability to accurately identify and address risk. From there, it’s time to start assessing risk within your existing contracts.
Panorays transforms this otherwise complex process into a simple and efficient one. It evaluates both your cyber risk and the suppliers in your supply chain by performing automated attack surface assessments that identify critical assets and their cyber risk — enabling you to prioritize how you address them.
Step 5: Remediate vulnerabilities
After assessing third-party risk, you should begin working with vendors to remediate the vulnerabilities that are brought to light. This is essential to minimizing supply chain risk and improving your risk posture.
Panorays continuously monitors your third-parties and alerts you of any security changes or vulnerabilities. When this occurs, the platform automatically prioritizes vulnerabilities according to the vendor’s business criticality and severity of risk, so you can focus on mitigating the most critical threats.
Step 6: Focus on continuous improvement
Maintaining a strong and collaborative relationship with your vendors is the key to continuous improvement. Routine communication helps both sides stay aware of evolving threats, stay up to date on security processes and meet high security requirements.
Step 7: Build trust with your vendors
Trust is an essential aspect of supply chain security. With open communication and increased transparency, trust will develop naturally. With Panorays, all communication and information related to vendor security risk management is centralized in one platform, which facilitates easier sharing, transparency and collaboration between your company and its suppliers.
How Panorays Can Help
Risk assessments can be arduous and time-consuming, especially when dealing with tens, hundreds or even thousands of vendors. The Panorays platform allows you to define your third-party security policies, and assess, mitigate and manage supplier risk against those policies, with the click of a button.
Panorays makes the assessment process efficient and simple. It allows you to prioritize risk based on vendor criticality, sensitivity of data shared and threat severity, while providing expert-approved remediation guidance. It also continuously monitors and reviews your suppliers, sending you live alerts about any security changes or breaches to your third parties.
Want to learn more about how your organization can achieve cyber resilience with Panorays? Learn more.