Most involve the supply of software and digital services, or at least are reliant in some way on online interactions.
SMBs in particular may not proactively be looking, or have the resources, to manage security in their supply chains.
Blindly trusting your partners and suppliers on their cybersecurity posture is not sustainable in the current climate.
It's time to get serious about managing supply chain risk.
Supply chain cyber risks could take many forms, from ransomware and data theft to denial of service and fraud.
They may impact traditional suppliers such as professional services firms, or vendors of business software.
Attacks on open-source supply chains: Most developers use open source components to accelerate time to market for their software projects.
Impersonating suppliers for fraud: Sophisticated attacks known as business email compromise sometimes involve fraudsters impersonating suppliers in order to trick a client into wiring them money.
Credential theft: Attackers steal the logins of suppliers in an attempt to breach either the supplier or their clients.
Data theft: Many suppliers store sensitive data on their clients, especially companies like law firms that are privy to intimate corporate secrets.
Whatever the specific supply chain risk type, the end result could be the same: financial and reputational damage and the risk of law suits, operational outages, lost sales and angry customers.
For software suppliers it should also stretch to whether they have a vulnerability management program in place and what their reputation is regarding the quality of their products.
Keep a list of all your approved suppliers and update this regularly according to the results of your auditing.
Regular auditing and updating of the supplier list will enable organizations to conduct thorough risk assessments, identifying potential vulnerabilities and ensuring that suppliers adhere to cybersecurity standards.
This should outline your requirements for mitigating supplier risk, including any SLAs that must be met.
It serves as a foundational document outlining expectations, standards, and procedures that suppliers must adhere to in order to ensure the security of the overall supply chain.
Enforce a principle of least privilege among suppliers, if they require access to the corporate network.
ISO 27001 and ISO 28000 have lots of useful ways to achieve some of the steps listed above in order to minimize supplier risk.
In the US last year, there were 40% more supply chain attacks than malware-based attacks, according to one report.
It's time to take back control through more effective supplier risk management.
This Cyber News was published on www.welivesecurity.com. Publication date: Fri, 26 Jan 2024 22:13:05 +0000