The SolarWinds attack in 2021 was a wake-up call for businesses the world over. It laid bare how extensive the fallout can be from supply chain attacks.
Russian intelligence via SolarWinds broke into 100 high profile networks – including those of Fortune 500 companies like Microsoft and NASA.
But there is a silver lining: the magnitude of last year’s supply chain attacks raised awareness of the threat, sparking a year of frenzied investment in security improvements across the global tech industry.
Securing your business
Ryan Weeks, CISO at global managed service provider (MSP) Datto, has five main tips for securing your supply chain amid an age of mounting threats:
1. Discover and audit your IT, including unapproved shadow IT
You can’t protect what you can’t see. To be able to fix gaps, you should understand what exists in your environment.
2. Keep an updated inventory of your vendors
Centrally managing your vendors has many advantages, only some of which are security-based and risk-based.
3. Understand the inherent risk relationship of your vendors
Develop some criteria to help your organisation understand which vendors are most important to you, and why. Scale assessments up or down based on the criticality of your vendor. Security resources are scarce as it is, so spend time with the vendors that matter.
4. Checklists are nice, but not every checklist fits the bill
Develop a process to evaluate what fits the vendor and your needs. Tailor your questions to the inherent concern. Targeting a vendor with specific questions might yield better answers.
5. Persist and persist some more
Managing vendors is a continuous process, not a one-time event.
According to Weeks, there is a greater degree of awareness within the global MSP and SME community since supply chain threats have come home to roost.
“The days of speculation are over and the notion that security considerations can stop at the perimeter have long vanished,” he says. “The community seems to know that these threats are here to stay, but there continues to be a lag in action.”
Weeks says it’s important to assess whether vendors are protecting the confidentiality, integrity, and availability of client data.
“Do you understand what gaps or risks these vendors are exposing you to? If you don't have a quick answer to all these questions, then chances are you are neglecting an essential component of your organisation’s cyber resilience strategy.”
Weeks has the following tips for engaging in conversation with your supply chain partners:
1. Ask them how are they protecting themselves
Even if you don't have the resources to fully assess your supply chain, you can gauge your posture by holding your vendors accountable to industry standards.
Engage in dialogue to better understand what they are doing to protect themselves. Make sure the direction of their security programme is moving in the right direction and that they are worried about the same things you are worried about.
2. Set expectations around business continuity and disaster recovery
If they don't have a formalised plan you can review, ask the hard questions and demand answers. Catalogue their responses for your next review.
3. What actions have they taken to check their own bias of their performance?
Your supply chain partners should be producing independent audits of their security performance, in addition to their own statements.