How can a business ensure the security of their supply chain?

Since the SolarWinds supply chain attack, the focus has increased on how companies of all sizes ensure the safety of their suppliers. Businesses large and small alike have been victims of supply chain attacks. Even with government and financial resources, the US Treasury Department and the Department of Homeland Security not only have to resolve the problem – they were also affected by the SolarWinds attack.

The reality is that supply chain attacks are not going away. In the first quarter of 2021, 137 companies reported supply chain attacks at 27 different third-party vendors, while the number of supply chain attacks increased 42% from the previous quarter.

This begs the question: How can companies minimize the risk when it comes to the increasing threat of attacks on the supply chain?

10 best practices for assessing supplier risk

While there are no guarantees that a company can detect a supply chain attack before it happens, there are 10 best practices a company can use to mitigate risk and validate the security of its supply chain.

1. Assess the impact any supplier can have on your business if the supplier’s IT infrastructure is compromised. While a full risk assessment is preferred, smaller businesses may not have the resources to conduct one. However, you should at least analyze the worst-case scenarios and ask questions such as:

• How would a ransomware attack on this vendor’s systems affect my business?
• How would my company be affected if the supplier’s source code were compromised by a Trojan horse?
• How would this affect my business if the supplier’s databases were compromised and data stolen?

2. Assess the internal IT resources and skills for each supplier. Do you have a dedicated cybersecurity team led by a security manager or a CISO? It is important to determine the supplier’s safety leadership as it can answer your questions. If the team doesn’t exist or is poorly staffed and has no real leadership, consider working with this supplier.

3. Meet with the supplier’s security manager or CISO to find out how they are protecting their systems and data. This can be a short meeting, a phone call, or even an email conversation, depending on the risks identified in step 1.

4. Obtain evidence to verify what the supplier claims. Penetration reports are a useful way to do this. Make sure the scope of the test is appropriate and whenever possible request a report of two consecutive tests to verify that the supplier is responding to its results.

5. If your supplier is a software provider, ask for an independent review of the source code. In some cases, the supplier can request an NDA to share the full report, or they can choose not to share it. In this case, ask for a summary.

6. If your supplier is a cloud provider, you can scan the supplier’s networks, do a Shodan search, or ask the supplier to report on their own scans. If you plan to scan yourself, get approval from the supplier and ask them to separate customer addresses from their own so that you don’t scan anything unimportant.

7. If the supplier is a software or cloud provider, find out if the supplier is running a bug bounty rewards program. These programs help a company find and fix vulnerabilities before attackers can exploit them.

8. Ask your suppliers how they prioritize their risks. For example, the Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of security vulnerabilities in computer systems and assigning severity ratings so that the supplier can prioritize risk responses.

9. Obtain the patch reports from the supplier. The fact that they have a report shows their commitment to security and vulnerability management. If possible, try to obtain a report that has been independently produced.

10. Steps 1 through 9 should be repeated annually depending on the risk and impact on your company. A low impact supplier may do this less often. For a supplier who is critical to the company’s success and poses a high risk, the company may want to develop a permanent evaluation process. However, large SaaS and IaaS vendors may not be willing to participate in ongoing evaluations.

Final thoughts

By following these recommended best practices, a company can identify the risks associated with a particular supplier, understand how the supplier is handling those risks, and gather evidence of how the supplier is mitigating those risks. Based on this evidence and risk appetite, a company can make an informed decision to partner with this supplier. Finally, when conducting these assessments, you should look for consistency and look out for risks that change over time.

Remember, there are no guarantees that anyone can stop a supply chain attack, but by protecting your own environment with next-generation anti-malware protection, providing ongoing cybersecurity training with your users, and following these best practices, it is possible to mitigate the risk to your organization.

source https://collegeeducationnewsllc.com/how-can-a-business-ensure-the-security-of-their-supply-chain/