![[slide:title]](/static/upload/image/20210722/1626935168761999.png)
![[slide:title]](/template/cn/skin/images/search-icon.png){kind=icon}
搜索
- 首页
-
Services
ISO 9001Quality management systemISO 14001Environmental Management SystemISO 20000Information Technology Service Management SystemISO 27001Information Security Management SystemISO 45001Occupational Health and Safety Management SystemCyber Essentials PlusCyber Essentials PlusCyber EssentialsCyber EssentialsPAS 2030Energy efficiency measuresPAS 43Safe working and recoveryNHSS 17/17bNational Highway SectorSSIPOccupational health and safetyISO 22301Business ContinuityOHSAS 18001Migrate to ISO 45001
- Sectors
- Resources
- About
- FAQs
- Contact Us
搜索
![[slide:title]](/template/cn/skin/images/Certificate-icon.png){kind=icon}
![[slide:title]](/template/cn/skin/images/qualification-icon.png){kind=icon}
Why is supply chain security important?
Cybersecurity 2021年08月04日
The SolarWinds cyberattack at the end of 2020 may mark the scale of the challenge that companies are finally facing in protecting their supply chain.
SolarWinds reads like a hacker’s fantasy: invading an unknown company and using it to secretly visit thousands of important customers around the world. Even better, no victim will doubt anything, because after all, SolarWinds is a trusted supplier and no one is worried. If the security company FireEye did not join the network in December, this extraordinary incident might be ignored for years instead of months.
SolarWinds is not the only example of this phenomenon recently. In April of this year, a vulnerability in the developer audit tool produced by a company called Codecov could allow attackers to target hundreds of customers. Similarly, Accellion's file transfer device (FTA) product uses multiple zero-day vulnerabilities as targets, which severely exposes hundreds of customers who are still using it. What makes the latter particularly convincing is that FTA is a 20-year-old product. This is a good example of how even traditional supply chain organizations think they have left and will come back to bite them after many years.
These are not brand new. In 2011, the encrypted IP behind RSA's highly regarded SecureID hardware authentication token was hacked, causing the company to have to replace 40 million expensive tokens at a hefty cost after detecting attacks against customers. Everyone thought that RSA was an unfortunate attempt, and we now know that everyone was wrong.
What is the supply chain?
The supply chain varies from industry to industry, but it can include not only technology providers, but also any third parties that have a trusting relationship with the organization. Every organization, including SMEs, will have a list, usually outsourcing or some form of business partner. The danger they cause is directly proportional to the amount of visits they have to company systems, data, and, in some cases, company premises.
From a cyber security perspective, the problem is that no matter how an organization protects its infrastructure, it cannot ensure that its partners are doing well. The security status of the partner is usually based on trust. In an era when technology, data sharing, and outsourcing have become the basis for conducting business, organizations cannot be isolated from the outside world.
Zero trust
Can this problem in the supply chain be solved? About 15 years ago, a group of inspired British CISOs from the Jericho Forum came up with an idea that eventually formed what is now called "Zero Trust Security." You will find various overlapping definitions of what this means, but it can be reduced to a simple principle: assume the worst case and don't trust anyone. Over the past decade, the rapid growth of cybercrime has transformed it from a collection of discussion papers read by a small group of thinkers to the equivalent of cybersecurity in the Ten Commandments.
Supply chain security best practices
Zero trust principles and best practices can be applied to SME supply chain security in different ways.
Review your supply chain and break down the supplier list into multiple categories based on the level or risk of the suppliers and their access to your company's network and data. This will include technology organizations (software, cloud, managed service providers, payment processors), professional services (legal, building security, etc.), and partners (component manufacturers, data partners).
Expand the compliance requirements for each partner, such as by requiring penetration test reports, data breach notifications, and GDPR violations. The cloud provider should be able to provide system and organization control (SOC) reports to meet SOC 1, 2, or 3. You have a patch system, but do you trust a supplier? If they don't do this and your data is in their hands, it's as if your company is as vulnerable as them.
Lock down vendor privileges provided to vendors and apply multi-factor authentication to any access they gain. Remember that credential theft is a major risk factor, including the theft of credentials from third parties. Do the same for interfaces such as VPN (which, by the way, is not absolutely reliable) and Remote Desktop Protocol (RDP), both of which are popular targets for ransomware attackers.
Beware of over-trusting the back door of the software trust chain. As pointed out in a recent report on software supply chain security by the US Cybersecurity and Infrastructure and Security Agency (CISA), this covers hijacking updates, breaking code signatures, and breaking open source libraries. SMEs may not be aware of the existence of these dependencies or that they are part of the supply chain, but now everyone has exposed this to some extent.
Take seriously the need for regular penetration testing. These are a great way to gain insight into the vulnerabilities that may be lurking in hidden supply chains or suppliers that no one has ever thought of assessing their security.
Suppose the attacker is in your network and looking for them. Keep in mind that the ransomware malware stays for a week or more before execution, which means that when the ransomware information appears on the PC, it may be too late. The endpoints and other security products you use in combination should be configured on this basis. If you use a managed security service provider (MSSP), not only do they need permission to detect attacks, but they also need to intervene when something happens.
in conclusion
Cybersecurity risks are becoming one of the most important risks for businesses today, and it is clear that most, if not all, organizations need robust security methods. However, not all business risks are internal risks. As this article shows, many risks stem from supplier relationships.
It is important to reach an agreement with your supplier to address these security risks, and it is also important to ensure that they comply with the terms of any agreement.
If you want to explore options to improve business security, please contact us to speak with one of our consultants. We provide a range of services, from e-learning for your employees to network basics and ISO 27001 certification. Fill out this form or call us on 0800 404 7007-we are here to help you!