NHS 111 is one of the latest victims, but it doesn’t have to be this way.

Supply chain attacks have caused major disruption in 2022; the Log4j exploit continues to impact organisations, whilst this August, NHS 111 was taken offline when the supplier, Adastra, suffered a cyberattack.

Many organisations’ processes and systems are poorly designed and treated like a tick box compliance exercise instead of dealing with the risk in a meaningful way.

With Log4j, a big part of the problem is that organisations lack understanding of where it is running. Identifying what works for an organisation, what tools they are running, what assets are in their network, and what software libraries are used is fundamental.

It has been nearly ten years since the infamous breach of Target via a refrigeration, heating and air conditioning service vendor, but such incidents persist.

After all, this is an era in which a high-tech toilet is hackable, and a casino’s database of wealthy individuals can be stolen via a thermostat in its fish tank. And in the meantime, supply chain disruption is costly for organisations.

Last year, McKinsey found that supply chain disruptions cost the average organisation 45 percent of one year’s profits over the course of a decade. 

Types of supply chain risks

Effective risk management is a combination of process, governance and technology. There are three types of supply chain cyber risks.

  1. A core supplier is hit by its own cyberattack, which renders it unable to deliver essential products and services—for instance, the cyberattack on shipping giant Maersk in 2017 disrupted global supply chains.

  2. An organisation suffers a breach because of a vulnerability in a supply chain partner. Such a breach could occur either because the supplier is holding sensitive information of the customer that gets compromised or because the supplier’s systems are connected to the customer’s systems, which means the attacker is able to move laterally from the supply systems to the customer’s own network. We saw this when cybercriminals used Kaseya, the software company, as a stepping stone to gain access to over 1,000 companies.

  3. Organisations suffering a breach due to a vulnerability embedded in third-party products used in their own operation—as seen in Log4j and the Solarwinds attack.

Obstacles organisations face

There are five challenges organisations face when it comes to effective supply chain cyber risk assessment: governance, visibility, scale, complexity, timeliness and funding.

Not addressing these obstacles means organisations can fail their risk assessment and remediation efforts. This leaves them in the dark about the potential for a supply chain attack or the impact it would have.

 

  • Governance: There is a lack of ownership of an organisation’s supply chain; there are usually several stakeholders across departments like procurement, operations, technology, finance, legal, and security. Unless a single owner of the processes is required, it becomes challenging to manage.

  • Visibility: Risk assessment involves asking current suppliers difficult questions, which might create tension, but will provide context. Organisations might miss a complete overview of the supply chain ecosystem and legacy risks if past partners were onboarded without the rigorous cyber assessment that today’s more complex environment requires. Rich contextual information is needed for effective visibility and risk management.

  • Scale and complexity: Large enterprises usually have thousands of third and fourth parties in their ecosystem, which makes cyber risk management an intimidating task. They might focus on their biggest suppliers, but that could bear no relation to risk exposure. There is not always a link between contract value and risk, instead, it’s important to consider the context. Sometimes, a small-sized provider of a critical, cyber-exposed piece of software may need more scrutiny than a large equipment vendor, due to its more limited budget and less mature cybersecurity standards.

  • Timeliness (in patching): Many organisations use inadequate third-party risk management programmes that are often box-ticking exercises. For example, survey-based, self-attestation reviews take a long time to gather and rely on honest responses from just one moment in time; more comprehensive approaches require evidence or periodical audits that are costly and slow. Follow-ups might also be needed to ensure an identified risk has been tackled. This is problematic because cyber threats and network vulnerabilities are inherently dynamic and constantly evolving.

  • Funding: High-risk suppliers are in danger of being omitted from risk assessments because of budget. Decision makers must understand how many need reviewing and allocate and prioritise the appropriate funding.

 

Rapid globalisation and unforeseen factors like the pandemic have profoundly transformed supply chains into one of the biggest threats organisations face in both the physical and digital space.

To successfully manage today’s cyber landscape, organisations must properly assess the threats and implement suitable structures, policies, and partnerships to execute a proactive supply chain cyber-resilience strategy.

 

This article first appeared in Strategic Risk Europe.