You are as Strong as your Weakest Part

This post was actually a real conversation between a customer's ICT manager and a security consultant of ours.
The location: offices of an energy & gas supply company
The question: what do you think is the domain with the least visibility and control in your cybersecurity environment?
The short answer: Our supply chain.
The long answer: It is widely observed that supply chain attacks are on the rise. It is not a new type of attack but has gained true recognition during the last years. Numerous researches show an increase in breaches through supply chain communication channels. To name just a few:

As companies adapt to current trends and tend to outsource various operations, even ICT related, they become more and more dependent to service suppliers. Thus, third-party relationships increase in number and sometimes in the degree of access the latter has inside your company's infrastructure.

Surveys and experience show that organizations do not maintain a security baseline between them and their supply chain or at best, they try to with a minimal effort . Either or not you exchange confidential information through your supply chain communication paths, a supplier is a ring in you cybersecurity chain. And you should know that your chain is as strong as the weakest ring in the chain. So you better strengthen that ring by establishing and maintaining a security baseline between your organization and your supply chain.

1. Start with the risks

In order to protect your assets, you have to measure the level of their (un)protection. And in order to measure, you have to know. To know means to understand and identify the complexity, depth and connectivity of your suppliers to your assets. It all starts with proper asset management and categorization. Which are your critical assets? What is the business impact of losing them? Once you identify the assets, you will start matching which suppliers have access to them and eventually, you will be able to identify and prioritize any related risks that arise.



2. Comply with a standard and align your suppliers with it

Many standards drive you to implement and maintain a risk management procedure. In the european cybersecurity world, ISO 27001 is the most recognized standard and even tiny companies successfully adapt and maintain compliance. ISO publishes detailed guidelines for implementing the various controls demanded by the primary standards and in this particular case we are examining, ISO 28000 can help you kickstart.

SpearIT can guide you through the whole procedure of any ISO certification under the ISO cybersecurity family of standards (e.g. ISO/IEC 27001), through our IT Compliance service!

3.Supply-chain management

Supply chain management is a recurring procedure which simply means:

  • set a list of initially trusted suppliers
  • assess & monitor their cybersecurity posture
  • replace the low-ranking suppliers with higher ones
  • repeat
    • Deriving directly from the previous step, ISO 27001 requires you to maintain a list of trusted suppliers. Briefly explained, a trusted supplier is not your friend who owns/works for a company but is the one that you have assessed in terms of quality, diligence, continuous improvement, the risks (financial & technical), the policies or compliance to standards.

      Another thing you shall do prior to ISO 27001 compliance is the periodic assessment of your trusted suppliers. It is obvious that a supplier who is trusted the current year, can be possibly marked as untrusted and can be removed from the list, if for example suffers a cybersecurity breach, due to lack of protection measures.

      SpearIT offers you continuous cybersecurity assessment services, adjusted to your needs:

      By having a proper supply chain management procedure, you strengthen the rings of yor chain, as stated before. In other words, you minimize the risks of suffering a breach through your supply chain!



4. Mutual mindset and cooperation

Finally, you need to develop a mutual mindset between your company and your supply chain, in order to continuously improve security. The benefits are for both sides, as not only your organization levels up constantly in security and maintains a strong posture against new threats but, also your suppliers' security posture levels up with you.

By establishing assessment policies, encouraging them to get certified towards a standard, discussing best practices and providing them with enough time for implementation maturity, you manage to build, establish and maintain one of the most important values of today's cybersecurity: trust.

Concerned about your cubersecurity posture?
Our specialists are more than happy to discuss a solution with you!

Start Here!

Latest News

EU NIS Directive Receives Update Proposal

On 6 December 2020, the EU Commission published its proposal for a revision of the Directive on Security of Network and Information Systems (EU NIS Directive)...

Read More

EU eID Schemes Landscape

Electronic Identification (eID) is a digital solution for the identity proofing of citizens or organizations achieving mutual recognition of electronic identification schemes across borders and increases citizens confidence in the online world...
Read More

Digital transformation and the EU NIS Directive

There is an observed ongoing movement towards digital transformation during the very last years, not only in private and enterprise environments but also in critical national infrastructure operators...
Read More