Since the SolarWinds’ supply chain attack, there has been an increased focus on how organizations of all sizes ensure the security of their suppliers. Large and small organizations alike have been victims of supply chain attacks. Even with government resources and funding, the U.S. Treasury and Department of Homeland Security not only have yet to solve the problem – they were affected in the SolarWinds’ attack.
The reality is that supply chain attacks are not going away. In the first quarter of 2021, 137 organizations reported experiencing supply chain attacks at 27 different third-party vendors, while the number of supply chain attacks rose 42% from the previous quarter.
This begs the question: how can businesses mitigate risk when it comes to the increased threat from supply chain attacks?
10 best practices to evaluate a supplier’s risk
While there are no guarantees that a business can detect a supply chain attack before it happens, there are 10 best practices that a business can consider to help mitigate risk and validate the security of its supply chain.
1. Evaluate the impact each supplier can have on your business if the supplier’s IT infrastructure is compromised. While a full-risk assessment is preferred, smaller organizations might not have the resources to conduct one. At a minimum, however, they should analyze the worst-case scenarios and ask questions such as:
- How would a ransomware attack on this supplier’s systems impact my business?
- How would my business be affected if the supplier’s source code was compromised by a Trojan virus?
- If the supplier’s databases are compromised and data is stolen, how would that impact my business?
2. Evaluate internal IT resources and competencies for each supplier. Do they have a dedicated cybersecurity team led by a security manager or a CISO? It is important to identify the supplier’s security leadership because that is who can answer your questions. If the team is non-existent or poorly staffed with no real leadership, you may want to reconsider engaging with this supplier.
3. Meet with the supplier’s security manager or CISO to discover how they protect their systems and data. This can be a short meeting, phone call, or even an email conversation, depending on the risks identified in step 1.
4. Request evidence to verify what the supplier is claiming. Penetration reports are a useful way to do this. Be sure the scope of the test is appropriate and, whenever possible, request a report on two consecutive tests to verify that the supplier is acting on its findings.
5. If your supplier is a software provider, ask for an independent source code review. In some cases, the supplier may require an NDA to share the full report or may choose not to share it. When this happens, ask for an executive summary.
6. If your supplier is a cloud provider, you can scan the supplier’s networks, perform a Shodan search, or ask the supplier for a report of their own scans. If you plan to scan yourself, obtain a permit from the supplier and ask them to segregate customer addresses from their own so you are not scanning something irrelevant.
7. If the supplier is a software or cloud provider, find out if the supplier is running a bug bounty reward program. These programs help an organization find and fix vulnerabilities before attackers have a chance to exploit them.
8. Ask your suppliers how they are prioritizing their risks. For example, the Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities and assign severity scores so the supplier can prioritize risk responses.
9. Request the supplier’s patching reports. The fact that they have a report demonstrates their commitment to security and managing vulnerabilities. If possible, try to get a report that is produced by an independent entity.
10. Steps 1 through 9 should be repeated annually, depending on the risk to and impact on your business. For a low-impact supplier, this may be performed less often. For a supplier that is mission-critical to the business’s success and is high risk, the business may want to develop a permanent evaluation process. However, large SaaS and IaaS providers may not be willing to participate in ongoing evaluations.
By following these recommended best practices, a business can identify the risks associated with a particular supplier, understand how the supplier manages those risks, and gather evidence regarding how the supplier is mitigating those risks. Based on this evidence and the risk appetite, a business can make an informed decision to work with this supplier. Lastly, as you perform these assessments, aim for consistency and look for risk that changes over time.
Remember, there are no guarantees that anyone can stop a supply chain attack but by protecting your own environment with next-gen anti-malware protection, conducting ongoing cybersecurity training with your users, and following these best practices, it is possible to mitigate the risk to your organization.