teissTalk: Mitigating the cyber risks in your digital supply chain

teissTalk host Tom Langford; Andrea Szeiler-Zengo, Global Chief Information Security Officer, Transcom; Abbas Ahmed, CISO/VP Technology, Qenta Inc; and Dov Goldman, VP Risk Strategy, Panorays.
 

Views on news

 

Among the biggest names impacted by the cyber-attack on Zellis, a UK-based payroll provider are the BBC, British Airways and major UK drugstore chain Boots (part of a conglomerate owned by Walgreens). The cyber-attack centres on MOVEit – a commonly used piece of software meant for secure and encrypted managed file transfer in business settings.

 

The digital supply chain is a three dimensional tree, which makes it hard to keep track of all the branches – i.e., 5th, 6th-tier suppliers. A company shares sensitive data with an average of 583 companies. If some of the suppliers in the chain don’t do their due diligence, it means that other companies must to do the job for them. Different suppliers present different levels of criticality in terms of cyber risk depending on what goods or services they provide you with.  

 

As suppliers need to keep up with new security challenges, it’s not enough to screen them on onboarding but they need to be monitored on a continuous basis. 

 

Shifting from tick-the-box compliance and securing software supply chains

 

The problem with cybersecurity questionnaires often is that the people who create them have no established business relationship with the business people. You need some gentle touch, though that helps suppliers understand the importance of filling in a questionnaire with hundreds of questions.

 

It’d be a good idea to adopt the concept of data flows from the Payment Card Industry Security Standard, as well as the Responsibility Sharing Matrix aligned to specific contracts, which details who is responsible for what and where partners have shared responsibility. Today technology also enables companies to pen test their suppliers. Meanwhile, companies have internal software supply chains as well. One of the most vulnerable points are CI/CD app development environments, andtherefore it should form a central part of any third party questionnaire. 

 

The panel’s advice

 

Adopting a risk-based cybersecurity approach is not easy but essential. 

The key to reducing supplier risk are understanding what you buy from your suppliers and, as a result, what you need to test their security system on. 

Have a conversation with your suppliers about where your data will flow with them and how they’re going to share your data with their partners and suppliers. 

You always have to read SOC2s to decide whether your supplier’s controls are relevant to what you buy from them.