Tag Archives: policy

Supply chain cybersecurity: better protection and policy alignment

Posted on by
Supply chain cybersecurity: better protection and policy alignment

Supply chain cybersecurity: better protection and policy alignment

According to a recent study conducted by the World Economic Forum, 39% of surveyed organizations in 2022 had been affected by a third-party cyber incident. In other words, they were “collateral damage” of a cyberattack on companies via their supply chain. Increasingly, threat actors are targeting small and medium-sized suppliers that may use less robust cybersecurity practices, with the aim of then surreptitiously accessing the systems of an intended target among their clientele. By breaking into the provider’s system, an attacker could potentially compromise any organizations which use the product or service – including larger companies, government agencies, and even critical infrastructure or essential services.

These incidents show the interdependence of companies, and the increasing need to address the security of the ICT supply chain as a whole by identifying and strengthening the weakest links. There is also a growing regulatory concern about supply chain security that is being translated into proposals ranging from reporting, or vulnerability disclosure, to restrictions or obligations on providers under various regulatory standards and frameworks.

How can companies better protect their supply chain to reduce risk and enable a more agile response?

Traditional approaches to supply chain risk management can present limitations, as they don’t increase cyber protection, are not generalized in their approach to diversifying and securing the supply chain, waste time and money, and lack cyber risk context. Importantly, small and medium-sized enterprises in the supply chains may struggle with responsible cybersecurity practices, including complying with recognized standards. Below is a selection of best practices on supply chain, some of which have been extracted from the RSAC ESAF Report “How Top CISOs are Transforming Third-Party Risk Management” based on Chief Information Security Officers (CISOs) interviews, and Telefónica’s own experience.

It is also necessary to standardise the approach to risk management, in a joint procurement and security strategy based on a principle of co-responsibility of employees and suppliers in meeting pre-established cybersecurity requirements, including on diversification. Management indicators to be periodically checked (including with audits) are needed to monitor and identify improvement points for action throughout all the supplier lifecycle, even at the termination. Key elements of such a strategy include the following:

  1. Focus on a set of priority security requirements based on an assessment of risk, a short list instead of overloading the supplier, and ensure monitoring, oversight, and compliance.
  2. Reduce the impact of third-party incidents via discrete actions like diversifying the supply chain, applying zero trust policies, developing incident response plans, conducting tests, and demanding early reporting of incidents by suppliers.
  3. Actively partner with suppliers to help them improve their security programs, offering service mechanisms and trainings to protect against or respond to incidents as they occur. Third-party incidents will happen, so preparing to manage the impact on the enterprise must be a core priority.
  4. Consider leveraging emerging technologies such as blockchain for information sharing and asset management to minimize the consequences of third-party cyber-incidents, as well as artificial intelligence and advanced analytics to scale incident detection and response capabilities.
  5. Add incentives and enforcements to contracts, setting requirements for suppliers based on international standards (e.g. ISO 27001 Information Security, ISO 27701 Privacy, ISO 22301 Security and resilience).
  6. Establish processes to increase business leaders’ involvement in managing third-party cyber-risks. Doing so needs to be a priority at the most senior levels.

Read more at Supply chain cybersecurity: better protection and policy alignment

Subscribe to us for new updates and leave your comments below.

How To Avoid a Third-Party Break in Your Supply Chain

Posted on by

Your business is only as secure as the weakest link in your supply chain. A single lapse by a third-party can lead to an operational disruption, cyberattack, or compliance violation. How can you be certain that your vendors and partners are keeping up with the latest regulatory mandates, industry best practices, cybersecurity measures, and your own corporate standards?

Vendor Risk Management Should Be a Top Priority

In these days of high-profile data breaches and intensifying regulatory requirements, supply chain risk management has become a critical priority for every organization. Such programs typically encompass policies, standards, governance, and risk assessment. Vendor risk management falls under the last of these—and it’s the cornerstone of effective supply chain risk management.

Develop a Vendor Risk Policy with Teeth

Nothing gets the attention of a vendor like a withheld payment. To set the expectation that risk policy compliance is a requirement, not an option, let vendors know that no money will be released until the right boxes have been checked.

Document and Track

A supply chain risk register is essential to keep track of your vendors and their risk. Your database should provide a single source of information on which vendors have been approved and when, as well as their current risk assessment rating.

Stay Engaged During Procurement

Don’t wait until the final review of a master services agreement (MSA) to get involved. Build a strong collaborative relationship with the procurement team so you can be notified promptly when a business function submits a procurement request, and stay engaged during vendor sourcing. By getting in front of the process, you can avoid being labeled as a roadblock or deal-breaker.

Maintain, Scale, and Repeat Your Program

Running an effective vendor risk management program and managing supply chain risk in general is all about scaling and repeating. To uphold your policy and standards, be diligent and strict about annual security assessment and verification, and perform site inspections as needed depending on the severity of risks posed by a given vendor.

‘Trust But Verify’

From the earliest stages of the procurement process through onboarding, service provision, and offboarding, expectation-setting and verification should be woven through each vendor relationship. Even the most secure organizations can encounter challenges, and the best-run programs can break down—assume nothing, check everything.

Read more at How To Avoid a Third-Party Break in Your Supply Chain

What do you think about this topic? Express your thoughts in the comment box below, and subscribe us to get updates.

3 ways to strengthen security with software supply-chain automation

Posted on by

Federal agencies are striving to become more innovative and iterative, leading to growing adoption of open source within the government. The issuance earlier this year of the Federal Source Code Policy illustrates how this technology, once anathema to government agencies, has become the de facto standard for the creation and deployment of many applications.

With the explosive adoption of open-source components being used to assemble applications, agency personnel are now tasked with ensuring the quality of the components that are being used. Developers must have confidence in components’ security, licensing and quality attributes and know for certain that they are using the latest versions.

Unfortunately, many agencies that are adopting the RMF are also relying on outdated and inefficient practices and tools that are not designed for today’s open and agile world. In addition to relying on potentially vulnerable components to build applications, some agencies have continued to depend too heavily on common application security tools, such as static application security testing and dynamic application security testing.

Continue reading