teissTalk: Strengthening your supply chain’s cyber-resilience

On 12 May, teissTalk host Geoff White was joined by Edd Hardy,Senior Vice President Cyber Security, AlixPartners; Jay Moloo, Corporate Information Security Officer, DB Schenker; and Stephen Owen, Chief Information Security Officer, Esure Grou.

Views on news

In half (49%) of the organizations polled by NCC Group said they did not stipulate security standards that their suppliers must adhere to as part of their contracts. A third (34%) claimed they don’t regularly monitor, or risk assess supplier cybersecurity arrangements. NCC Group, however, warned that organizations would increasingly be held responsible by regulators for supply chain risk citing the EU’s Digital Operational Resilience Act (DORA) which apparently mandates that financial firms include key security requirements in contracts with third-parties. More frequent and serious supply chain attacks and the fact that nowadays no business fully owns their own computing make discussions and regulations about cyber security in this area rather timely. Although a third (32%) of responding organizations said they were “very confident” that they could respond “quickly and effectively” to a supply chain breach, most of them never goes as far as to run rehearsals with their suppliers. There is also a misconception that assessing your suppliers per se will solve the problem and make your business resilient.

How to vet your vendors more effectively

What can make it hard for businesses to make queries about their suppliers’ cyber resilience is if they haven’t adopted the security standards themselves. Another problem might be that they don’t have the capability to process data and will find out about information security problems already months into the contract. However, information security teams can’t be expected to vet thousands of vendors. Rather, vendor management teams should only escalate the cases of problematic suppliers to them. Composite scores of risk rating comprising answers to questionnaires, as well as automatic security monitoring can provide a more realistic and accurate picture of the supplier’s security posture. To achieve operational resilience, businesses in the UK need to comply with PRA (Prudential Regulation Authority) and FCA rules. Data sniffing tools used for searching the dark web for supplier information can take supplier resilience to the next level. With multi-tier supply chains, your first supplier has to be held responsible for all the contractors that they bring to the chain.

Vulnerability testing, although it may have its flaws, is a great tool to check on supplier resilience on a regular basis, but it’s effective only if they are on your network and don’t just provide data from their own network scanning.