You are as Strong as your Weakest Part

This post was actually a real conversation between a customer's ICT manager and a security consultant of ours.
The location: offices of an energy & gas supply company
The question: what do you think is the domain with the least visibility and control in your cybersecurity environment?
The short answer: Our supply chain.
The long answer: It is widely observed that supply chain attacks are on the rise. It is not a new type of attack but has gained true recognition during the last years. Numerous researches show an increase in breaches through supply chain communication channels. To name just a few:


As companies adapt to current trends and tend to outsource various operations, even ICT related, they become more and more dependent to service suppliers. Thus, third-party relationships increase in number and sometimes in the degree of access the latter has inside your company's infrastructure.


Based not only on surveys but on our own experience while providing infosec assessment and compliance services to our customers (penetration testing & risk management), we conclude that organizations do not maintain a security baseline between them and their supply chain or at best, they try to with a minimal effort . Either or not you exchange confidential information through your supply chain communication paths, a supplier is a ring in you cybersecurity chain. And you should know that your chain is as strong as the weakest ring in the chain. So you better strengthen that ring by establishing and maintaining a security baseline between your organization and your supply chain.


1. Start with the risks

In order to protect your assets, you have to measure the level of their (un)protection. And in order to measure, you have to know. To know means to understand and identify the complexity, depth and connectivity of your suppliers and your assets. It all starts with proper asset management and categorization. Which are your critical assets? What is the business impact of losing these assets? Once you identify the assets, you will start matching which suppliers have access to these assets and eventually, you will be able to identify and prioritize any related risks that arise.

App

App

2. Comply with a standard and align your suppliers with it

Many standards drive you to implement and maintain a risk management procedure. In the european cybersecurity world, ISO 27001 is the most recognized standard and even tiny companies successfully adapt and maintain compliance. ISO publishes detailed guidelines for implementing the various controls demanded by the primary standards and in this particular case we are examining, ISO 28000 can help you kickstart.

SpearIT can guide you through the whole procedure of a successful ISO 27001 certification with the smart compliance & certification service!


3.Supply-chain management

Supply chain management is a recurring procedure which simply means:

  • set a list of initially trusted suppliers
  • assess & monitor their cybersecurity posture
  • replace the low-ranking suppliers with higher ones
  • repeat
    • Deriving directly from the previous step, ISO 27001 requires you to maintain a list of trusted suppliers. Briefly explained, a trusted supplier is not your friend who owns/works for a company but is the one that you have assessed in terms of quality, diligence, continuous improvement, the risks (financial & technical), the policies or compliance to standards.

      Another thing you shall do prior to ISO 27001 compliance is the periodic assessment of your trusted suppliers. It is obvious that a supplier who is trusted the current year, can be possibly marked as untrusted and can be removed from the list, if for example suffers a cybersecurity breach, due to lack of protection measures.

      SpearIT offers you continuous cybersecurity assessment services, adjusted to your needs:

      By having a proper supply chain management procedure, you strengthen the rings of yor chain, as stated before. In other words, you minimize the risks of suffering a breach through your supply chain!

App

App

4. Mutual mindset and cooperation

Finally, you need to develop a mutual mindset between your company and your supply chain, in order to continuously improve security. The benefits are for both sides, as not only your organization levels up constantly in security and maintains a strong posture against new threats but, also your suppliers' security posture levels up with you.

By establishing assessment policies, encouraging them to get certified towards a standard, discussing best practices and providing them with enough time for implementation maturity, you manage to build, establish and maintain one of the most important values of today's cybersecurity: trust.


Confused about which assessment test option suits you?

Find Out!

Latest Blog Posts

The Value of a Penetration Test

In case you are wondering whether a penetration test offers any value to your organization, we have to first of all admit that there are two dimensions in answering this question: executives and technical.
Read More

Choosing between a Vulnerability Scan and a Penetration Test

The terms "vulnerability scan" and "penetration test" are oftentimes mistakenly used interchangeably, even by people involved with IT...
Read More

The Ideal Penetration Test Report

A penetration test report is the final deliverable in a penetration test engagement. It is a detailed document that guides you through the findings, vulnerabilities detected, exploitation actions and provides mitigation recommendations....
Read More