supply chain guidance from global cyber security bodies

International Cyber Agencies Issue Supply Chain Guidance Following Recent Spike in Cyber Attacks

Last month, as part of a joint advisory, cyber security governing bodies from the US, UK, Australia, Canada and New Zealand issued official supply chain cyber security guidance to help organisations keep their information and data secure.   

The fresh guidance, focussed on supporting medium to large enterprises and those within organisations responsible for risk, information and cyber security management, will help establish or improve organisational approaches to assessing supply chain cyber security risks. 

Why Are Cyber Agencies Focussing on Supply Chain Security

Supply chain compromise has been hitting the headlines in unprecedented volumes. The SolarWinds attack back in 2020 seemingly opened the floodgates, and the breaches won’t stop coming.  

In the last month alone, MediBank in Australia saw over 4 million patient records compromised and leaked online. Supeo, a supplier to DSB, the largest train network in Denmark, suffered a breach that physically prevented trains from moving for over two hours. And Chase UK sustained an attack that prevented their customers from accessing their banking app for almost two days.  

As organisations rely upon growing numbers of suppliers to deliver products, systems, and services, the risk of vulnerabilities being introduced or exploited via these suppliers increases significantly. This increasing complexity makes it difficult for businesses to know how secure their supply chain is and if they have enough protections in place.  

Ultimately, these cyber attacks can have a devastating impact on businesses, with expensive and long-term ramifications for affected organisations, their critical suppliers and their customers.  

Why Is Supply Chain Security So Difficult For Businesses To Address   

Despite the well-documented risks, many companies still lose sight of their supply chains. In fact, according to the 2022 Security Breaches Survey, “just over one in ten businesses review the risks posed by their immediate suppliers (13%), and the proportion for the wider supply chain is half that figure (7%).” 

The cyber risks associated with a supply chain attack have never been higher; attackers are evolving attack methods and tools at an increasingly alarming pace. Yet, despite growing public awareness of the threats and increased regulatory oversight, businesses are not keeping pace.  

According to the National Cyber Security Centre (NCSC), whilst many organisations understand their supply chain should be of concern, there remains a:  

  • lack of investment to protect against this cyber risk 
  • limited visibility into supply chains 
  • insufficient tools and expertise to evaluate suppliers’ cyber security 
  • lack of clarity around what you should be asking your suppliers to do

These issues leave supply chains exposed and at risk of exploitation by cybercriminals.   

Practical Steps for Organisations to Secure Their Supply Chain 

The guidance released by the cyber government bodies breaks down the best approach into five key steps: 

  1. Understand Why Your Organisation Should Care About Supply Chain Security 

 Organisations must understand what needs protection within their ecosystem and why it needs to be secured to establish meaningful control over the supply chain.  

Ultimately, effective cyber security has to be appropriate to your systems, your processes, your staff, your culture, and the level of risk you are willing to take.   

  1. Develop an Approach to Assess Supply Chain Security 

 Determine the critical aspects in your organisation that you need to protect the most (your ‘crown jewels’), taking into consideration potential threats, vulnerabilities, impact and your organisation’s risk appetite.  

Using your organisation’s identified key aspects, create a number of tiered supplier security profiles. Each profile should represent an increasing scale of impact, then assign these to each of your suppliers.  

  1. Apply the Approach to New Supplier Conversations 

Embed new security practices throughout the contract lifecycle of new suppliers, from procurement and supplier selection to contract closure.   

This process should also begin to drive better security awareness among your staff and create a culture of ongoing security and information management compliance monitoring.  

  1. Integrate the Approach into Existing Supplier Agreements

With a new approach agreed upon, review your existing contracts either upon renewal or sooner where critical suppliers are concerned. 

  1. Continuously Improve

Regularly refining your approach as new issues emerge will reduce the likelihood of risks impacting your organisation via the supply chain.  

How ISO 27001 Can Enable Sustainable Supply Chain Security  

ISO 27001 is an internationally recognised standard for information management, but it’s really about risk management. And this is what the guidance released by the NCSC, CISA, FBI, ACSC, CCCS and NZ NCSC keeps coming back to, which is why working within the ISO 27001 framework will drive behaviours and security benefits for any business looking to improve its cyber resilience and set itself apart from its competitors.  

ISO 27001 advises businesses to have a straightforward process in place for onboarding and managing suppliers. In particular, focus on the following:  

  • Keeping infosec policies, procedures and controls up to date 
  • Maintaining affected critical business information, systems and processes 
  • Making sure to re-assess any risks identified and check that suppliers are meeting ongoing security requirements  

That might seem like essential, common-sense advice, but it can save organisations time, money, reputational damage and frustration if implemented correctly. In addition, achieving compliance with the ISO 27001 framework can offer a significant business advantage by demonstrating your certified security credentials to current and future clients. 

Strengthen Your Supply Chain Security Today  

If you’re looking to start your journey to better supply chain security, we can help.   

Our ISMS solution enables a simple, secure and sustainable approach to information management with ISO 27001, NIST and other frameworks. It offers supply chain security modules that can be quickly adopted, adapted and added to over time to achieve successful cybersecurity and better adoption of secure behaviours within your organisation. Unlock your competitive advantage, today.  

Book A Demo

Explore ISMS.online's platform with a self-guided tour - Start Now