You are as Strong as your Weakest Part

This post was actually a real conversation between a customer's ICT manager and a security consultant of ours.
The location: offices of an energy & gas supply company
The question: what do you think is the domain with the least visibility and control in your cybersecurity environment?
The short answer: Our supply chain.
The long answer: It is widely observed that supply chain attacks are on the rise. It is not a new type of attack but has gained true recognition during the last years. Numerous researches show an increase in breaches through supply chain communication channels. To name just a few:

As companies adapt to current trends and tend to outsource various operations, even ICT related, they become more and more dependent to service suppliers. Thus, third-party relationships increase in number and sometimes in the degree of access the latter has inside your company's infrastructure.

Surveys and experience show that organizations do not maintain a security baseline between them and their supply chain or at best, they try to with a minimal effort . Either or not you exchange confidential information through your supply chain communication paths, a supplier is a ring in you cybersecurity chain. And you should know that your chain is as strong as the weakest ring in the chain. So you better strengthen that ring by establishing and maintaining a security baseline between your organization and your supply chain.

1. Start with the risks

In order to protect your assets, you have to measure the level of their (un)protection. And in order to measure, you have to know. To know means to understand and identify the complexity, depth and connectivity of your suppliers to your assets. It all starts with proper asset management and categorization. Which are your critical assets? What is the business impact of losing them? Once you identify the assets, you will start matching which suppliers have access to them and eventually, you will be able to identify and prioritize any related risks that arise.



2. Comply with a standard and align your suppliers with it

Many standards drive you to implement and maintain a risk management procedure. In the european cybersecurity world, ISO 27001 is the most recognized standard and even tiny companies successfully adapt and maintain compliance. ISO publishes detailed guidelines for implementing the various controls demanded by the primary standards and in this particular case we are examining, ISO 28000 can help you kickstart.

SpearIT can guide you through the whole procedure of any ISO certification under the ISO cybersecurity family of standards (e.g. ISO/IEC 27001), through our IT Compliance service!

3.Supply-chain management

Supply chain management is a recurring procedure which simply means:

  • set a list of initially trusted suppliers
  • assess & monitor their cybersecurity posture
  • replace the low-ranking suppliers with higher ones
  • repeat
    • Deriving directly from the previous step, ISO 27001 requires you to maintain a list of trusted suppliers. Briefly explained, a trusted supplier is not your friend who owns/works for a company but is the one that you have assessed in terms of quality, diligence, continuous improvement, the risks (financial & technical), the policies or compliance to standards.

      Another thing you shall do prior to ISO 27001 compliance is the periodic assessment of your trusted suppliers. It is obvious that a supplier who is trusted the current year, can be possibly marked as untrusted and can be removed from the list, if for example suffers a cybersecurity breach, due to lack of protection measures.

      SpearIT offers you continuous cybersecurity assessment services, adjusted to your needs:

      By having a proper supply chain management procedure, you strengthen the rings of yor chain, as stated before. In other words, you minimize the risks of suffering a breach through your supply chain!



4. Mutual mindset and cooperation

Finally, you need to develop a mutual mindset between your company and your supply chain, in order to continuously improve security. The benefits are for both sides, as not only your organization levels up constantly in security and maintains a strong posture against new threats but, also your suppliers' security posture levels up with you.

By establishing assessment policies, encouraging them to get certified towards a standard, discussing best practices and providing them with enough time for implementation maturity, you manage to build, establish and maintain one of the most important values of today's cybersecurity: trust.

Concerned about your cubersecurity posture?
Our specialists are more than happy to discuss a solution with you!

Start Here!

Latest News

Ukrainian NBU BankID System preparing for EU recognition

SpearIT is pleased to announce that has undertaken the preliminary conformity assessment of Ukraine's BankID national electronic identification scheme, ...

Read More

Cypriot National eID becomes notified

SpearIT is pleased to announce that the electronic identification (eID) scheme of Cyprus has now been notified as LoA High...

Read More

Cypriot National eID becomes pre-notified

SpearIT is pleased to announce that the first Cypriot electronic identification (eID) scheme has now been pre-notified in the eIDAS Cooperation Network...

Read More