Our Views:
Cyber risks associated with the supply chain
Information technology product and service suppliers are essential to the smooth operation of most organisations in New Zealand today. However, service providers are also often the unknown piece of the security puzzle when it comes to ensuring your organisation and its critical data and resources are protected from cyber incidents. Visibility into the security measures and practices of the development, delivery and operational lifecycles of many service providers is often low. However, this is changing as more focus is being placed on the potential vulnerabilities in the supply chain due to targeted attacks in this area. The IT supply chain may be exploited through hardware, software or through service providers and these risks can be present for various reasons for example:
- Suppliers may not adequately protect their own systems leading to vulnerabilities that can be exploited to the detriment of their customers. This can occur due to financial pressures, unskilled resources or sheer negligence and mismanagement.
- Suppliers may have a malicious employee acting on the inside to cause harm to them and either intentionally or as a byproduct, harm to their customers.
- Suppliers may act purely for their own interests. For example, by failing to upgrade or update systems, by stealing or sharing intellectual property or leaving a customer open to attack.
- Organisations may not clearly articulate their security requirements or disclose the criticality of their data or systems, leading to a supplier failing to notify of relevant threats.
- Shadow IT procurement may introduce products or services into your business that have not gone through adequate due diligence.
Managing supply chain risks involves challenges. Many suppliers may contribute to the production, supply and service of a single product making transparency almost impossible to achieve. Determining the likelihood and possible severity of these risks is also challenging as many risks involve actions that are hard to predict, such as the likelihood of contractor turnover at any one vendor. Additionally, some suppliers may impose visibility restrictions on operations to maintain proprietary products or processes.
Despite rising supply chain incidents, there is a currently a distinct lack of robust processes in place to manage these risks globally as the world becomes ever more interconnected. IT supply chains are inherently difficult to secure which means you will always have some element of unknown risk. However, there are risks that can be identified and managed through supply chain security and structured management.
All known risks should be catalogued and addressed through a process of Identification, Assessment, Mitigation and Monitoring. There are many reputable resources available to assist in ensuring you employ a structured process including the following:
- https://protectivesecurity.govt.nz//assets/Governance/4a55e18043/Assessing-your-supply-chain-security.pdf
- CIS Critical Security Controls (cisecurity.org)
- SCRM Essentials: Information and Communications Technology Supply Chain Risk Management (SCRM) in a Connected World (cisa.gov)
To protect against the unknown risks you must build strong, layered defences around your most critical assets. Additional steps such as building awareness of the potential risks in the supply chain, understanding and being very transparent about your organisation’s risk appetite, and enabling employees to address risk promptly should also be considered.
The NCSC suggests organisations consider how every supply chain could potentially contain a trojan horse and we also believe being aware and acting where possible to minimise these growing risks is vital.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 