This is the first in a series of articles where during December we will look at key stories from 2024, where trends were affected and created, and where there was a direct impact on the practitioner.

For this first article, we'll look at the concept of supply chain, where major incidents affecting the likes Blue Yonder and Synnovis provided serious headlines and learning points.

In the case of Synnovis, a number of NHS trusts in South East London were subjected to cyber-attacks, after the provider of lab services was the victim of a ransomware attack in early June.

In that incident, Synnovis was attacked and via its connections into the NHS trusts, and those trusts were subjected to attacks due to the necessary open networks. 

This involved the attackers - generally acknowledged to be the Qilin group - demanding $50 million from Synnovis to bring the ransomware attack on the company to an end, but publishing around 400GB of patient names, dates of birth, NHS numbers and descriptions of blood tests the next day. Former NCSC head Ciaran Martin identified three critical issues facing NHS cybersecurity: outdated IT systems, the need to identify vulnerable points, and the importance of basic security practices in response.

Open network connections

Whilst serving a purpose for businesses to share information and intelligence, open network connections can also allow for an easy form of entry for an attacker to access one point of the ‘chain.’

Now it’s not the case that supply chain attacks, as we have come to call them, are especially new: instances such as the attack on Solarwinds (to access Microsoft accounts at U.S. government departments) in 2020, and the hit on RSA Security (to access defence contractors) show the commonality of this type of offensive effort.

In the case of Synnovis, the company said it had “invested heavily in ensuring our IT arrangements are as safe as they possibly can be.”

SC UK contacted Synnovis for a comment on the situation, as its updates on the incident stopped in mid September. A Synnovis spokesperson said: “For security reasons, and especially given the recent incident, we do not comment on the specifics of our IT systems or security protocols.

“We do continuously invest in the security of our IT estate and processes as well as the awareness of employees to protect our infrastructure and data.”

Constant Headache

As a result of these and various incidents, the issue of supply chain is a constant headache for practitioners if prepared tactics are not used. According to data from BlueVoyant, 95 percent of surveyed UK organisations have experienced a negative impact from cybersecurity incidents in their supply chain, while 34 percent claim to have no way of knowing when a cybersecurity incident occurs within their supply chain.

In an email to SC UK, Joel Molinoff, global head of supply chain defence at BlueVoyant, recommends that 34 percent to first make sure they know all their suppliers, vendors, and third parties, especially those with network access, or access to sensitive data.

“They should then set up a third-party cyber risk management program to monitor these vendors,” he says. “The most critical third parties should be monitored continuously.

“Additionally, organisations should focus on risk remediation capabilities. Internal teams can be overworked so having a trusted partner who can help reach out to vendors on their behalf can ensure that any third-party cyber issues are more effectively mitigated.”

So what are the ways to manage the sprawl of the supply chain - is it just keeping on top of who is connecting in, or more complex than that? Brian Honan, CEO of BH Consulting says the approach his company takes is to rate suppliers on risk, for example if they access your employees’ personal data, classify them as a high risk, and if there is a service that they are providing to your business that is essential, that is also high risk.

“Then you need to start looking at assurances from that supplier that they are meeting our requirements for cybersecurity.”

Molinoff recommends knowledge and protection of third-party cyber connections to “absolutely be part of a risk management strategy.”

He says: “Once this groundwork is laid, they should monitor third parties regularly and have a dedicated practice in place to guide remediation of identified critical issues. We’ve seen with our clients that having this type of program in place significantly (and measurably) reduces operational and other risks and supports better compliance and reporting related to regulations and Board oversight.

“Organisations should also have a comprehensive plan with other key stakeholders, such as procurement, legal, and finance departments to make sure they understand that third parties make up part of the enterprise’s cyber security posture. This awareness will ensure readiness for a comprehensive third-party cyber risk management program.”

What about the management of your third party suppliers in that chain, how do you ensure they have a level of security that you do? Manoj Bhatt is an interim CISO and CEO of Cyber Hash, and he said that questionnaires are most commonly used, and if you work with 20 different suppliers, then you need to send out 20 questionnaires, but this can lead to “questionnaire fatigue.”

He explains that this is because each questionnaire is different, all are custom made “and they all ask very different questions as possible or in a slightly different way.”

Honan said the use of a questionnaire should be to create supporting evidence, and determine the compliance level of your supplier, and if they are compliant with ISO 27001 or Cyber Essentials, or even have cyber insurance. “Nowadays most cyber insurance companies will be rigorous in ensuring that any companies that they're going to cover have certain levels of security in place,” he says, as this can be crucial in an investigation and response process.

However a business needs to have an assurance mechanism against the software providers, as while the provider will have assurances on their website, you as a business need to monitor that software as part of the service.

“When we talk about the third party and talk about the sprawl, It's not just about a relationship,” Bhatt said. “It's about what those systems are, and how those systems are now talking to one another.”

Also when working with a cloud service provider, it's your responsibility to make sure that's secure. Honan says: “So for example, if you're using Microsoft Office 365, yes Microsoft will say ‘our infrastructure is secure’ but it's up to you to deploy additional policies and configure your system to be secure.”

He says he has seen situations where businesses are saying that they are secure because they use AWS or Azure, and they are certified to a certain standard, but you don't inherit the security of the certification of your provider, you have to still provide us with assurance on top of that that you're doing it.” 

DORA the Regulator

As of January 2025, the Digital Operations Resilience Act (DORA) will come into force and as part of that regulation, there is guidance on additional requirements that must be incorporated into a contractual agreement between a financial entity for the provision of critical ICT services.

This is a key factor of managing the supply chain sprawl, as Bhatt says this requires that you know not only your third and fourth party connections, but their connections too, and “if they're a critical supplier to you, you need to start to understand that flowdown”

This has made the concept of supply chain management a business issue, and whilst the CISO will make decisions on which services to use and be responsible for auditing those suppliers, Honan says these are decisions that should be driven through the business.

“That means the CISO should be able to work with legal and procurement to make sure that any new service that has been procured or bought, that security is brought in to consult at the very beginning with it, or that there's a standard and formal guidelines that legal and procurement should follow,” Honan says.

“These days the CISO has to engage with the business and manage this as a business risk and get buy-in from the other areas.”

Weakest Link

As for what to do when things go wrong and there is a determined weak link, Honan says this is where the risk register comes into play, as you can determine what information they have access to and what guardrails you have put - or can put in place. 

If you need to cut the provider off from your network, Honan says you can either wait for the contract to be renewed and look for a separate provider in the meantime, or include a ‘get out clause’ if they don't meet your security requirements.

“The worst case scenario is you migrate now to another provider and not wait until the contract is renewed,” he says.

However he says that there is an opportunity to help that provider with their security posture and recovery. Bhatt agrees, saying what he is seeing is more and more organisations supporting third parties in their security, and he has seen providers not do crisis management and recommend a partner they can use.

“So by me giving them a bit of advice and support means that they are getting better and it means that actually I'm better protected as part of that supply chain,” Bhatt said. “So I think we have a shared responsibility model that is definitely being more instigated than it had been before because I think before it was very ‘us and them’ and now we're seeing more of a joint responsibility model around cybersecurity.”

This is a tricky situation, as it calls for serious vetting of your providers, who are likely doing the same to you too. Can you confirm your level of security and compliance, and demonstrate that? If so you can avoid being the weak link in the chain, and also ensure your partners do the best security for you also.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.