Supply Chain Security: Managing the Risks


In the modern business environment, supply chain security is one of the fundamental aspects that must be considered as part of a risk assessment. While the malicious insider and dedicated hacker do form two of the highest threat actors, risks from the supply chain are also high on the list. Why is this? Because suppliers often have legitimate access to a vast amount of data and services inside the department, without being subject to the same levels of monitoring, auditing, training and disciplinary actions that traditional members of staff are.

Let’s take an example. Third party suppliers providing a CRM solution (customer relationship management) that have a requirement to provide support on an on-going basis. In the worst case scenario, the organisation may give the supplier full read/write access to the solution (and the data held on it), remotely, with no additional controls. Add into this that the supplier may exist off-shore and that the suppliers members of staff are not subject to any kind of vetting and you have a significant risk to that data. Now imagine that the data stored on there is personally identifiable information under the DPA and you are looking at a very scary scenario.

Unfortunately, the scenario above is common to many businesses and a genuine business requirement. What organisations fail to realize is that they are still responsible for the data on that CRM system, and if a breach were to occur – they would be held liable to significant fines from the ICO and loss of business. So, how do you manage this?

Well, using the scenario above there are multiple controls you can enforce to protect that data and restrict access. First, agreements should be implemented before relationships with suppliers are undertaken. These may take the form of contractual obligations and non-disclosure agreements (NDA’s), where the supplier is required, by law, to take care of any data they access as per DPA requirements. NDA’s should, in practice, be in place for any supplier who has access to any part of your network or assets. It is good practice to make sure these are in place, it covers you from a legal perspective and these are requirements that need to be met from a compliance perspective for standards such as ISO 27001.

In addition to contractual controls, the organisation should implement technical and policy based controls to provide a defense in depth stance. Technical controls may include ensuring read-only access to customer data and monitoring controls to monitor that application for anomalous behavior e.g. mass extraction of records. Further controls may focus on the remote access suppliers are presented with. Ensuring suppliers authenticate via two factor authentication methods will reduce the risk of unauthorized access.  Implementing transport layer encryption will ensure no records are intercepted in transit. Finally, ensuring supplier accesses are time bound only and that the supplier only has access to the service or application required for maintenance is further good practice.

So, this is only taking one scenario into account. The supply chain does not just consist of software/application providers and support but those suppliers that provide any infrastructure to your organisation. Some questions that should be considered are:

  • What asset is being provided by this supplier?
  • What assurances can they give as to the integrity of the asset provided?
  • Who has access to this asset, how is this secured?
  • Can we minimize the number of suppliers who have access to our assets?

This is just a quick look into supply chain security and some considerations you may need to make regarding managing these risks. It is strongly recommended that organisations risk assess all suppliers with access  to their environment and ensure appropriate controls are in place for supply chain security.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *