Navigating the Complexities of Supply Chain Information Security: Insights from ISMS. online’s State of Information Security Report

At the end of 2022, we were asked to list the top cyber trends we expected to see dominating the headlines in 2023, and we flagged the supply chain. And, boy, were we right to! The last three months have seen supply chain security under the spotlight and for all the wrong reasons.

In March, IT outsourcing giant Capita suffered a ransomware breach, impacting many government and private sector clients, including Royal Mail, Axa and USS, one of the UK’s largest pension funds. Whilst the UK Deputy Prime Minister, Oliver Dowden, warned of the risk to critical national infrastructure supply chains and issued a formal warning to businesses about incoming attacks from unpredictable actors

More recently, big-name brands, including BA, Boots and the BBC, were caught out by a personal and financial data breach affecting staff and customers. The culprit? A bug in a file transfer tool called MOVEit, which their payroll provider, Zellis, used.

The Challenges Facing Supply Chain Security

So, why does supply chain security seem so difficult for organisations to get on top of? One of the critical challenges is the increased complexity and interdependency of global supply chains. Organisations often have limited visibility and control over their extended network, making it challenging to ensure the security of data and systems beyond their immediate reach.

Additionally, supply chain information security faces vulnerabilities such as inadequate security practices by suppliers, weak authentication mechanisms, outdated software, and even potential supply chain disruptions caused by natural disasters or geopolitical events.

The impact of a supply chain breach can be severe and far-reaching. Not only can it lead to financial losses, reputational damage, and legal consequences, but it can also disrupt operations and compromise the trust of customers and stakeholders. The interconnected nature of supply chains means that a breach in one organisation can have cascading effects on multiple entities within the chain, amplifying the potential harm.

What The State of Information Security Report Tells Us About Supply Chain Security

Despite the well-documented risks and growing raft of headlines, many companies still lose sight of their supply chains. In fact, according to our State of Information Security Report 2023, just 30% of organisations believed they were struggling with managing their supply chain, yet over 57% admitted to experiencing at least one cyber incident as a result of supply chain compromise in the last 12 months with many admitting to more than one incident.

Where is this disconnect coming from? The NCSC recently conducted some research of their own and found that “just over one in ten businesses review the risks posed by their immediate suppliers (13%), and the proportion for the wider supply chain is half that figure (7%).”

So, whilst many organisations understand their supply chain should be of concern, there remains a:

• lack of investment to protect against this cyber risk
• limited visibility into supply chains
• insufficient tools and expertise to evaluate suppliers’ cyber security

lack of clarity around what you should be asking your suppliers to do

These issues leave supply chains exposed and at risk of exploitation by cybercriminals.

Regulatory Challenges and Supply Chain Security

In the last 12 months, nearly two-thirds (60%) of UK businesses have received a fine due to data breaches or regulatory violations. The average total paid in fines was almost £250,000.

The most common fines for data breaches ranged from £50,000 to £100,000 (21%), followed by £100,000 to £250,000 (17.5%). Almost 21% of respondents received fines above £250,000, with just under half admitting to receiving a penalty ranging from £500,000 to a staggering £1,000,000.

Of these fines, an alarming 42% were either directly or indirectly due to a data breach or incident that included a supply chain or third-party supplier compromise aspect. Highlight just how integral supplier management is to an organisation’s information security and regulatory compliance.

Key Trends Impacting Supply Chain Security

One of the main takeaways from the State of Information Security Report is the growing sophistication of cyber attacks targeting supply chains. Cybercriminals are employing advanced persistent threats (APTs), which are stealthy and highly targeted attacks aimed at compromising the integrity of the supply chain. These attacks can remain undetected for extended periods, allowing threat actors to gain unauthorised access to sensitive data or even manipulate or take control of critical systems.

Once in the system, attackers will often demand ransom for access back to these critical systems or threaten to release sensitive data unless paid. Almost 25% of organisations in our survey had been held to ransom in the last 12 months, with a further 25% also listing experiencing network intrusion over the same period.

Moreover, the report sheds light on the rising prevalence of supply chain compromise attacks, with 19% of respondents stating they had been impacted in this way in the last 12 months. In these scenarios, attackers exploit vulnerabilities in one or more supply chain components to infiltrate the entire ecosystem.

For instance, by compromising a supplier’s network or systems, attackers can gain unauthorised access to downstream partners, leading to a ripple effect of security breaches. This underscores the interconnectedness and interdependence of supply chain security, making it crucial for organisations to assess and mitigate risks not only within their systems but also across their entire supply chain network.

Another concerning trend identified in the report is the increase in supply chain phishing attacks. Cybercriminals employ social engineering techniques to deceive individuals within the supply chain, trick them into divulging sensitive information or inadvertently downloading malicious software.

These phishing attacks can be persuasive, often impersonating trusted suppliers, vendors, or internal stakeholders. It’s, therefore, perhaps not surprising that 28% of survey respondents stated they had been breached as a result of a phishing attack targeting their employees in the last 12 months. Organisations must educate their employees about these threats and implement robust email security measures to combat these increasingly sophisticated phishing attempts.

Common Supply Chain Vulnerabilities and Attack Vectors

ISMS.online’s State of Information Security Report also reveals several common vulnerabilities and attack vectors that threat actors exploit to compromise supplier security.

One prevalent vulnerability is weak supplier controls. Many suppliers may not have robust security measures, making them an easy target for cyberattacks. These vulnerabilities could include outdated software, inadequate patch management, or lax access controls. Attackers capitalise on these weaknesses to gain unauthorised access to sensitive information or introduce malicious code into the supply chain ecosystem.

Another vulnerability arises from the lack of due diligence during supplier onboarding. Organisations often overlook the importance of thoroughly vetting their suppliers’ security practices before engaging in business relationships. This oversight creates a potential gap in the supply chain’s defences, allowing attackers to exploit the weakest link. For example, a supplier with insufficient security measures can inadvertently expose the entire supply chain to significant risks.

Insufficient security awareness and training across the supply chain is another vulnerability attackers exploit. Employees at various levels within the supply chain may not have adequate knowledge about cybersecurity best practices or the potential threats they face. This knowledge gap leaves them susceptible to social engineering attacks, phishing attempts, or inadvertently introducing malware into the system.

Indeed, less than half of the surveyed organisations had delivered regular information security or data awareness training over the last 12 months (47%), suggesting that 53% of organisations had yet to deliver regular staff awareness training at all. Organisations must prioritise security awareness training and establish a culture of vigilance across the entire supply chain.

The report also emphasises the risks associated with third-party software and hardware components. Integrating these components into the supply chain introduces a level of dependency on external entities, increasing the attack surface and potential vulnerabilities. Malicious actors may compromise these components, leading to supply chain disruptions, data breaches, or the introduction of compromised software or hardware.

Furthermore, insider threats within the supply chain pose a significant risk. Insider threats can occur when individuals with authorised access to the supply chain ecosystem misuse their privileges or knowingly engage in malicious activities. This could be a disgruntled employee, a contractor with unauthorised access, or a compromised insider. Over 20% of those in our survey had experienced an incident as a result of an insider threat compromise in the last 12 months. Such threats can have severe consequences, including data breaches, intellectual property theft, or sabotage.

Understanding these vulnerabilities is crucial for organisations to develop targeted risk mitigation strategies. Organisations can significantly enhance their supply chain information security by identifying and addressing weak supplier controls, implementing stringent due diligence processes, fostering security awareness and training programs, and closely managing third-party software and hardware components.

Navigating the Complexities of Supply Chain Information Security

The increasing reliance on third-party relationships and the evolving threat landscape necessitate a comprehensive approach to mitigate risks and protect sensitive data. Let’s explore some key areas to consider when navigating the intricacies of supply chain information security.

Risk Assessment and Mitigation Strategies:

A thorough risk assessment is the foundation of effective supply chain information security. It involves identifying and evaluating potential vulnerabilities and threats within the supply chain ecosystem. Organisations can prioritise risks, allocate resources effectively, and implement targeted mitigation strategies by conducting regular assessments. These strategies may include data encryption, access controls, regular security audits, and continuous monitoring to detect and address vulnerabilities promptly.

Establishing a Robust Supply Chain Security Framework:

Organisations must establish a robust security framework to manage supply chain information security effectively. This framework should outline clear policies, procedures, and guidelines to ensure consistent security practices throughout the supply chain. It should include security requirements for suppliers, contractors, and other third-party partners and policies for secure data sharing and transmission. Regular assessments and audits can validate the framework’s effectiveness and drive continuous improvement.

Collaborative Efforts and Partnerships:

Organisations should foster open communication and collaboration with suppliers, vendors, and other stakeholders to align security practices, share threat intelligence, and strengthen security posture. Collaborative initiatives can include information-sharing platforms, joint security audits, and regular security training and awareness programs.

Third-Party Risk Management:

It is essential to establish robust third-party risk management processes. This involves conducting due diligence when selecting partners, assessing their security practices, and establishing contractual agreements that outline security expectations and responsibilities. Regular monitoring and audits of third-party security controls should be conducted to ensure ongoing compliance.

Incident Response and Recovery Plans:

Despite proactive security measures, incidents can still occur. It is crucial to have well-defined incident response and recovery plans in place. These plans should outline the steps to be taken in the event of a security breach, including incident detection, containment, investigation, and recovery. Organisations should conduct regular incident response drills and simulations to test their plans’ effectiveness and identify improvement areas.

A proactive and comprehensive supply chain information security approach is crucial for long-term success and business continuity in an ever-evolving threat landscape.

How ISO 27001 Can Help Achieve Effective Supply Chain Management

ISO 27001 is an internationally recognised standard for information management, but it’s really about risk management. Working within the ISO 27001 framework will drive behaviours and security benefits for any business looking to improve its cyber resilience and effectively manage their supply chain security.

ISO 27001 advises businesses to have a straightforward process in place for onboarding and managing suppliers. In particular, focus on the following:

1. Establishing a formal policy for suppliers, which outlines your requirements for mitigating risk associated with third parties
2. Agreeing and documenting these requirements with each supplier
3. Checking suppliers have processes in place to meet appropriate levels of baseline security (including their own supply chains). This could be done via focused audits, questionaries or checks for accreditation with ISO 27001
4. Maintaining a regularly updated list of approved suppliers
5. Regularly assessing whether suppliers are meeting your security requirements.
6. Ensuring any tech or process changes are promptly flagged and that you understand their impact on supplier risk.

That might seem like essential, common-sense advice, but it can save organisations time, money, reputational damage and frustration if implemented correctly. In addition, achieving compliance with the ISO 27001 framework can offer a significant business advantage by demonstrating your certified security credentials to current and future clients.

As supply chains expand in size and complexity, the associated cyber risks also increase. Organisations must take decisive action to protect their information and assets. By leveraging resources such as supply chain mapping guidance offered by the NCSC and implementing an ISMS based on ISO 27001, organisations can strengthen their supply chain risk management practices and safeguard their operations from evolving cyber threats. Now is the time to prioritise proactive measures to address these challenges head-on.

You can read the full State of Information Security report here: https://www.isms.online/state-of-infosec-23/

Read The Report