Speaking on supply chain issues at Infosecurity Europe in London, Haydn Brooks, CEO of Risk Ledger advised identifying who third and fourth parties are and having conversations to encourage security along the chain.

Detailing a scenario where a zero-day vulnerability is found in a file sharing platform, and your suppliers are using this and resulted with your data being found on the dark web, Brooks asked the audience who they would turn to in this scenario.

He said: “Procurement? Has anyone experienced the fact that procurement don't have a contract with the supplier and have no idea what they do for the organization? Your threat intel team? Do you think they know the context of the breach and why it's happened or what that supplier does for you? Finally, your third party risk management team? All they have is a spreadsheet from nine months ago in a SharePoint saying what the supply security should have looked like.”

Saying this is common when talking to prospects, as often users don’t know who suppliers are, or have done a risk assessment against them.

Why More Issues?

In a week where supply chain issues have been brought to the surface again, with the Snowflake and Synnovis incidents in mind, Brooks said over the last few years supply chain has been on the rise quite steadily due to organizations outsourcing more, and becoming more comfortable at outsourcing more parts of their business to suppliers. 

“It's not just your third parties, so when you go to a supplier, they are even then be outsourcing stuff to their own third parties, which become your fourth parties,” he said. Asking the audience if anyone has a list of the fourth parties that their third parties work, the answer was a resounding no, including any visibility of any risks that may exist.

“Those three different suppliers require a slightly different type of risk assessment, because essentially you've got a slightly different set of controls for each,” Brooks said.

Globalisation

He said that supply chain has become so complicated because of globalization. “A lot of security budgets are being tightened, a lot of business budgets are being tightened, and the way that businesses tend to deal with that is by looking for suppliers to outsource things to,” he said.

Saying this has led to a “massive increase in the attack surface” in people's supply chains, the impact of cost-cutting goes down the supply chain, and gets bigger the further down the supply chain you go, typically because profit margins also decrease.

In terms of a solution, Brooks used the analogy of parachutes, where you concentrate on the person below you - rather than above who you cannot see - as the security of visibility should filter down through the different chains, “and then give you some data on the risks that are further down the supply chain.”

Also ask your third parties who their suppliers are, and map these together to find the common points across the network. He also recommended working with other companies, who use a supplier, and use combined commercial leverage to ensure standards are improved.

Asked by SC UK what businesses should be doing to stop these type of problems now, Brooks said the biggest problems he sees when chatting to companies isn't even what they're doing with a third party risk management process, it tends to be that procurement don't have a central list of suppliers. Uh, the data procurement holds tends to be quite dirty, “and it's very hard for security to actually secure something without knowing what we should be securing!”

He recommended first building a relationship with procurement and making sure there is a clean data set, and try to have a conversation with the supplier, and know how to advise them, and what security protections you need to have in place, “and factor that into commercial decisions and commercial discussions” instead of cancelling contracts if they don't have security in place.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.