Supply chain management: why you need to close your security gaps

The National Cyber Security Centre (NCSC) has highlighted supply chain management as one of its 10 Steps to Cyber Security after recent high-profile breaches brought the issue into discussion. As a result, there’s more guidance and support available, and more importance being placed on supply chain security. Our Governance, Risk, and Compliance Business Development Manager, Louis Coates shares why supply chain security management is a crucial part of any organisation’s cyber security strategy.

In recent years, several high-profile organisations have been breached as a result of compromised software in their supply chains, including the NHS’s 111 service, Microsoft, The US Treasury, Homeland Security, and other US federal agencies. This shows that regardless of industry or organisation size, and the cyber security controls you have deployed internally, if you’re not managing security gaps within your supply chain, you aren’t fully protected.

The UK government’s Cyber Security Breaches Survey found that only 13% of businesses review security risks posed by their immediate suppliers, and only 7% review the wider supply chain. These figures are concerning as supply chain attacks tend to avoid perimeter and other security controls that prevent targeted attacks over the internet using a direct route into an organisation through its supply chain. Organisations need to include controls that manage this to stop cyber criminals accessing your systems and networks through your supplier if their cyber security controls aren’t as robust as yours or they don’t have the right strategy in place.

In many cases organisations can’t even be sure that a contractor using a provisioned account is who they say they are. Shared accounts for contractors supporting services are common and often there aren’t safeguards in place to ensure that sufficient technical and management controls are established across the supplier’s infrastructure. This lack of visibility over who and what is coming in and out of your network results in high levels of risk, and this gives threat actors a powerful attack surface, rendering costly security solutions and perimeter defences useless. You can spend an unlimited amount of budget on firewalls and technologies that will defend your organisation, but if you don’t review the cyber security controls of suppliers providing services into your network, you leave yourself open to cyber threats you thought you were protected against.

How do I close the gaps in my organisation’s supply chain security?

It is vitally important that organisations apply rigorous security controls, not only to their own environment, but also to their supply chain’s environment to ensure that same level of security exists throughout, preventing potentially dangerous gaps in security barriers.

The NCSC continues to respond rapidly to the ever-evolving threat landscape and has recently published guidance on how to approach supply chain management with both new and existing relationships, and how to continually improve your processes.

NCSC supply chain management advice

Informed by the 12 principles of supply chain security, the NCSC recommends taking the following steps to protect your organisation from supply chain threats:

  • Ensure there are no shared third-party accounts
  • Establish a robust access policy where access to resources and rights are granted with the principle of least privilege and only for as long as necessary
  • Review what privileges and access arrangements are currently in place, removing rights and permissions that are not necessary
  • Request proof of compliance with IT security standards that your organisation adheres to, such as Cyber Essentials Plus or ISO27001
  • Put data loss prevention (DLP) mechanisms in place to ensure that data exfiltration by a supplier is alerted and prevented
  • Review contractual arrangements that are in place to ensure the confidentially, integrity, and availability of any data that you are responsible for

Get support managing supply chain security today

Our governance, risk, and compliance (GRC) specialists are available to help your organisation identify where your biggest cyber security risks are and support you to close any supply chain security gaps that do exist.

Contact our GRC team for more information
Jonathan Scott
Jonathan Scott

Jonny entered the world of IT at the age of 17. After working in corporate sales for three years, he moved to a more strategic role at Phoenix within the business development team managing bids and vendor relationships. After building up the skills and knowledge to understand the relevant technologies that fit different sectors, Jonny became the Vendor Alliance Manager at Phoenix. Jonny and his team manage a portfolio of over 650 vendors.

See all posts by Jonathan Scott