Bytes Cyber Journal: Entry 10 - Third Party & Supply Chain Risk

Thursday 3rd October 2024

 
Toby Noble
Cyber Security Solutions Lead
Author
 
Georgia Moore
Marketing Executive
Editor

Third Party & Supply Chain Risk

Securely Enhancing Supplier Relationships and Security Postures

 

Events of recent years, such as the SolarWinds attack, have brought to prominence the importance of the security integrity of our supply chain. It’s time we start taking a more vested interest in the security maturity of those we choose to partner with, so attackers can’t exploit the weakest link in the (supply) chain! But that’s not all there is to it. When we think about risk with suppliers and third parties, we should also consider those partners that need access to our systems and how we can go about providing that access securely.

In this blog, we’ll explore both angles, what they mean for your cyber security strategy, and how you can effectively work with your supplier partners for their own benefit and yours.

The Challenge

Supply chain risk can be perceived as a problem too far removed from our control to be our concern. Of course, this is not the case, and the industry as a whole is becoming more switched on to that fact.

Story Time

To highlight the gravity of the issue, we will use an example of a car manufacturer. This manufacturer is a global name with a healthy cyber security budget (though probably still not enough, right?!). They feel their defences are well shored up. Their suppliers can’t say the same. They are smaller outfits with less to spend on cyber security and, due to a breach, they cannot make the paint required to finish the car manufacturers vehicles. A 48-hour suspension of production has a knock-on impact to the car manufacturer, leading to missed deadlines, lost revenue, and a non-stop production line ground to a halt.

In addition to the above (perhaps extreme) example, we should also consider those same partners or suppliers if they need access to our internal systems. Service providers are a good example of this type of partner, and it is important that we can closely monitor and assess this external user for risk or compromise. The challenge here is in capturing visibility of these types of users, brokering the right level of access, and staying on top of revoking access should it no longer be required.

What To Do Next

These two different types of challenges require two different approaches to cyber security strategy. However, it is worth considering them in tandem to interweave their capabilities and provide holistically robust layers of defence.

Supply Chain Risk

 

Addressing supply chain risk means we must consider the old mantra

“a rising tide lifts all boats”.

 

We are going to be looking at how, in raising the security posture of our suppliers, we can impact the overall security posture of our industry, and therefore of our own organisation. A quick win in this space is in making use of automated security questionnaires. This can help your suppliers in answering your questions back to them in an automated fashion. If you want to consider using such tools internally, it will save you a lot of time in getting onboarded as a supplier to your customers or partners. Automated security questionnaire tools are here to streamline the process as much as possible.

Another area to consider with supply chain is that continuous risk monitoring. As the name suggests, we’re looking at more than just a point-in-time check of security scoring ourselves or our supply chain. Instead, we’re looking to make this a consistent, on-going process of assessing the weaknesses of a party’s security posture. In capturing information for our suppliers on areas of their security posture that require improvement, and highlighting these to them, we can look to elevate the partnership and value that each side gains considerably.

Third Party Risk

Third parties (suppliers, contractors, partners, etc.) that require access to our systems have been managed badly… We don’t want them mixed in with our internal users in our active directory. We also don’t want manual process in getting them onboarded and, perhaps more importantly, offboarded once their job is done and their time is up.

PAM (privileged access management) tooling is best placed here to broker access for these types of users into the systems they need to carry out the tasks they’re here to do. By routing them through this mode of access, you’re naturally going to get security benefits like:

  • Access provisioning automation
  • Session recording
  • Password rotation (no more dishing out credentials)
  • Full audit capabilities (who did what, where, and when)

Another key benefit of PAM tooling for these types of users is around just-in-time (JIT) provisioning, which completely mitigates the risk of standing privileges.

More automation + less human intervention = greater security posture + less human error.

How Bytes Can Help

Bytes are primed and ready with teams of specialists to help tackle either side of this two-pronged approach to managing third parties and supply chain risk. We’re able to engage in workshops that will look to address the individual challenges you’re facing as an organisation in the realm of third party and supply chain risk.

Whether through workshops that seek to educate and strategise, or through technology reviews that help you gain maximum value from your existing investments, our team of expert specialists are perfectly positioned to build with you a long-term strategy for best securing your weakest link.

Our workshops are engagements fully funded by Bytes that aim to leave you with an action plan on improving your security posture, whether through a singular project, or touching on multiple areas of your security architecture. Please reach out if you’d like to understand more!

 

Special thank you to Adam McCaig for his contributions to this blog.

Thank you for reading.

If you have any questions, or would like to learn about any of the content covered in this blog, please email our friendly team via [email protected]


Want to keep informed? Sign up to our Newsletter

Connect