Supply chain as your biggest threat
08:00 Friday, 29 October 2021
UK Cyber Security Council
Supply chain security has come to greater prominence than ever in 2021. This is hardly surprising given that alongside the “traditional” threats we see from the supply chain (primarily data protection issues, on the whole), this year has seen a number of massively prominent and disruptive attacks that have exploited supply chains. The ransomware attack on software supplier Kaseya, which has hit the latter’s client base. The SolarWinds attack which used infected downloadable elements to infect the vendor’s customers. The Colonial Pipeline ransomware infection that caused the company to shut down the pipeline serving its customers.
It is easy to remember that supply chain management is a big area with a wide variety of required skills. All large companies, and even many medium-sized businesses, have vendor management teams whose entire raison d'être is to look upstream, supplier-wise, and manage the relationships with the organisations that provide goods and services. And just as supply chain management is a thing, with its own peculiar skillset, so supply chain security management is also a tangible skill-set in its own right.
If anyone is reading this thinking: “Supply chain security is the big thing now, so I’ve missed the boat”, nothing could be further from the truth. All that has happened is that a threat that has lurked under the radar for many, many years has now come out into the open via a quick-fire volley of well publicised attacks during a period of unprecedented global disruption (and this correspondent first came across a supply chain originated hack in a client’s systems nearly 20 years ago). Yes, those with specific qualifications in supply chain security are presently more marketable than they used to be. But this marketability is not going away any time soon, and those with a penchant for supply chains but a lack of formal qualifications still have time to address this latter issue.
For those more into the compliance side of supply chain security, the ISO web site is an important resource, specifically ISO 28000 – “Specification for security management systems for the supply chain”. The fact that ISO 28000 has been around since 2007 reiterates the concept that supply chain security is most definitely not a new thing in 2021.
Why is supply chain security so hard? Simple: you have no real control over how your suppliers behave. Even if you have water-tight contracts with clauses that cover remediation, compensation and the like, no amount of legalese will ever come close to defending your reputation against an inadvertent or deliberate transgression on the part of a supplier. Even if the contract obliges the supplier to provide recompense in the event of a breach or incident, by the time this has happened the horse will have well and truly bolted.
As with all areas of security, one can never fully protect against supply chain attacks. The more suppliers you have, the harder the task of keeping track of security issues upstream in the supply chain. The task in hand is one of risk management, as with all other fields of security, but with a raft of additional skills to boot – organisation, communication, security assessment, probably even audit. Supply chain security management is about understanding the security profiles of suppliers at the take-on phase and regular monitoring and review during the relationship, but it is easy to forget the other end of the relationship. In this sense it is equally important to deal with the security elements of off-boarding suppliers (removing inter-company connections, for example, plus disabling user logins and ensuring that the suppliers dispose of your data that they hold according to the contract) and potentially even getting in touch some time after off-boarding is complete to ensure that the supplier has remembered any elements of the contract by which they are bound even after you have parted company.
Supply chain security management is a vast and fascinating area, and since it is part of the overall cyber security industry it is therefore also part of the well-known cyber security skills gap. But since it has only recently come to the surface as something companies need to care about, now is the time to shine for anyone with a combination of cyber and supply chain skills.