As I write this article, supply chains are hitting the headlines. Retailers are warning there could be a shortage of toys at Christmas, McDonalds ran out of milkshakes and Nando’s were forced to close restaurants, because their supply chain was, and I quote, “having a bit of a ‘mare”. These are the more trivial headlines, but things could be serious and everyone from car manufacturers to building merchants, the NHS to food producers, are talking about supply chain issues.
Whether these supply chain issues are because of Brexit, COVID, increasing demand, staffing levels or a combination of things is up for debate and it’s yet to be seen whether many will play out. But, whatever the cause, or whatever the outcome, these scenarios clearly demonstrate the effects supply chain disruption can have from an economic and business standpoint, as well as on a personal level.
Physical supply chains are the focus of these headlines and the threat of empty supermarket shelves, as well as raising prices, is always going to hit the news. But, for organisations, supply chains aren’t just physical, they can also be digital. Many, if not most, of today’s organisations rely on digital products and software suppliers to ensure day-to-day operations, and if that supply chain was disrupted, for any reason, then organisations, and ultimately consumers, could see similar negative effects.
An example of this occurred in June this year, when a ‘bug’ within the software of the content delivery provider (CDN), Fastly, was triggered by a customer. The flaw ultimately took down 85% of the company’s network and caused outages for many of its well-known customers, such as BBC News, Spotify, Amazon and the Gov.uk website. The outage lasted for just under an hour and, for many, it wasn’t too serious, but for those reliant on website traffic and online orders – for example, Amazon – the outage could have cost the company $32m in sales, according to one calculation. This just shows the business impact when part of your digital infrastructure, supplied by a third-party, is disrupted.
Companies will obviously want to mitigate against disruptions, such as the one above, by having contingency plans in place, but technology issues aren’t the only consideration organisations need to be making when looking at their digital supply chain: they also need to look at security.
Digital supply chains can be seen as an easy target for malicious threats and, in some cases, they can provide the most effective route into an organisation, especially those with robust security measures in place. Why spend time trying to breach an organisation with tough security measures when you can target a smaller, less security mature company within their supply chain and look for a way to move between them? It can be as easy as that.
Take the example of Target, the US retailer. In 2013, attackers managed to access Target’s point of sale (POS) systems, gaining access to 40 million payment card credentials and 70 million customer records. But Target wasn’t the original target, so to speak; it was a heating, ventilation and air conditioning supplier, which used Target’s vendor portal to monitor stores.
With access to the portal, attackers were able to move across Target’s network and ultimately access the POS systems. That’s not the only example. The British Airways breach, which affected around 400,000 customers, was achieved through a breach of a payment software provider, not the company itself.
For me, one of the most interesting examples of a digital supply chain attack was the recent SolarWinds breach. This breach wasn’t simply about criminals stealing credit card details, but a sophisticated, potentially state-sponsored attack, which used compromised SolarWinds software to successfully gain access to, and spy on, their customers – mainly US government agencies and high-profile Fortune 500 companies.
Whether the threat is from criminal enterprise, nation state operations or hacktivists, these examples clearly show the potential consequences of supply chain attacks and even, if you think you’re not a target, someone in your supply chain just might be. Security, throughout the supply chain, should be everyone’s responsibility, but how do you go about making your supply chain more secure?
Get your own security in order
Supply chain security improvement needs to start within your own company and you’ll want to ensure, as much as possible, that supply chains attacks aren’t going to be able to affect your business, its operation, sensitive data or be able to utilise your company to target others within your supply chain.
Simple measures can make a big impact and measures such as network segregation, robust privilege levels and monitoring tools can help you detect potential breaches, restrict access to sensitive information and reduce the chances of a malicious threat being able to move from a compromised network onto your main company networks. Every organisation will be different, of course, and security measures should be tailored to the real-world risks faced. That’s why scenario and risk analysis planning can be useful to undertake, helping you uncover the potential risks of a supply chain attack and to ensure effective measures are put in place to mitigate against the most likely scenarios.
Undertaking this improvement work isn’t just good from a security standpoint, however; it’s also good from a business aspect. GDPR compliance, as well as potentially hefty fines, has forced organisations to become more security conscious and customers, both inside and outside the supply chain, are now requiring robust security assurances before they commit to working with a company. So, by having the good security practices in place and being able to provide evidence of security testing or compliance, it can make your life much easier when it comes to winning business.
Seek security assurances from your suppliers
Just as customers will be asking for security assurances from you, you should be asking for security assurances from your suppliers. Have they had an independent security audit? Do they have evidence of infrastructure and application security testing? Are they working towards ISO 27001 standards or have certification? Does the company have Cyber Essentials?
The assurances needed will obviously depend on the nature of the relationship, the information and services that are being procured and the potential risks involved. Some relationships will require a light touch, in terms of security assurance, but some may require rigorous standards. It’s up to every company to define what level of security they want from their suppliers and to ensure these are in place, before committing to working with them.
Originally published in Computing Security Magazine.