You’ve probably heard the term ‘supply chain security’ more in 2021 than ever before. If you’re unsure where to start when it comes to establishing your law firm’s supply chain security posture and shoring up your cyber defences, this blog will help set you on the right track.
Supply chain security shot onto everyone’s radar in December 2020 when news broke of a cyber-attack that utilised compromised SolarWinds software to target US federal agencies. And the attacks haven’t stopped – more recently, software provider Codecov suffered a supply chain attack that went undetected for over two months. For many organisations, it may feel like supply chain security is the final Rubicon they need to cross before either jumping head-first into shoring up their cyber defences or throwing in the towel completely.
The latter option is, from an emotional perspective at least, understandable – it’s hard enough to protect your own organisation in today’s hostile digital landscape without having to worry about other organisations in your supply chain posing risks to your operational integrity. This is especially true for law firms, who manage highly confidential information on a daily basis and for whom any reputational damage suffered as a result of a data breach could be terminal. At Six Degrees though we’re not fans of burying our heads in the sand, and we don’t think you should be either. Because even if you can never fully negate the supply chain security threats you face, there are steps you can take to minimise them.
In this blog we’ll explain what supply chain security is, and the steps you can take to shore up your cyber defences.
What is Supply Chain Security?
Your organisation has never been more reliant on supply chains to deliver products and services to your end users. Whether it’s legal technology, outsourcing functions like finance or marketing, or working with algorithm and data providers, your supply chain is critical to your law firm’s ability to remain operational and deliver high quality legal services.
Hackers know this, and will actively target organisations in your supply chain in order to disrupt your operations and gain a foothold into your environment. And even if they don’t target you through your supply chain, any disruptions to your suppliers resulting from a cyber-attack can cause significant collateral damage to you as a result.
You may well work with suppliers that integrate with and have access to you network. Pay special attention to these suppliers, as any compromises they suffer can project directly into your network and act as a launchpad for ransomware and business email compromise (BEC) attacks.
A BEC attack is, broadly speaking, a type of phishing email. What makes it so dangerous is its targeting and sophistication. BEC attacks are most commonly targeted at individuals responsible for handling money within organisations, and through carefully thought out methods their aim is to trick the individual into transferring money to an offshore bank account.
BEC attacks require diligence to address, as they often use sophisticated social engineering to convince victims to part with their money. Part of your supply chain considerations should include diligence around suppliers you make payments to, ensuring processes are in place to double- and triple-check that every payment made is legitimate.
Supply Chain Security Principles
The National Cyber Security Centre (NCSC) has proposed a series of 12 principles, designed to help you establish effective control and oversight of your supply chain. You can learn more about these principles by following the link above, but in summary the principles are:
- Understand what needs to be protected and why
- Know who your suppliers are and build an understanding of what their security looks like
- Understand the security risk posed by your supply chain
- Communicate your view of security needs to your suppliers
- Set and communicate minimum security requirements for your suppliers
- Build security considerations into your contracting processes and require that your suppliers do the same
- Meet your own security responsibilities as a supplier and consumer
- Raise awareness of security within your supply chain
- Provide support for security incidents
- Build assurance activities into your supply chain management
- Encourage the continuous improvement of security within your supply chain
- Build trust with suppliers
By following these best practice principles, you will minimise the supply chain security risks you face. But what questions should you be asking to build an understanding of your organisation’s security posture, along with the security posture of your clients?
Questions You Should Ask Your Suppliers
Whether you are assessing your organisation’s supply chain security, auditing the security of businesses in your supply chain, or you are being asked by a client about your own security posture, here are three key questions you should consider – and the context behind why.
- What assessment have you made of the cyber threat to your organisation?
If one of your key partners (supplier/customer) experienced a cyber-attack that impacted their ability to provide services to you, have you understood what impact that could have on your operations? This can cover services such as logistics or more ingrained services within your operations such as accounts payable/HR. Data services such as the latter will no doubt have considerations around PII and other data protected by GDPR, for example.
- What safeguards have you put in place to minimise the impact of ransomware to ensure you maintain contracted services?
Ransomware has impacted organisations’ ability to operate. Defence in depth plays a big part in detecting and mitigating the impact of a successful attack. What layers of defence have your suppliers applied against this real threat?
- Who has third party access to your network?
Misconfigurations and multiple ingress/egress points are prime access points for hackers. Third party access points are often less secure, as they may not be tightly monitored for abuse. Have the principles of least privilege and other controls been implemented to ensure the highest levels of control against abuse?
In our new infographic we provide six more questions you should ask your suppliers to ensure you’ve protected your organisation and mitigated security risks in your supply chain.
Shore Up Your Cyber Defences
Now is not the time to rest on your cyber security laurels – supply chain security should be taken seriously by all organisations if they are to minimise the risks they face. Supply chain security doesn’t need to be onerous to implement – by applying diligence and best practices, you can safeguard your operational integrity and build trust with the businesses that sit throughout your supply chain.
All organisations need to take proactive steps to address the financial, operational and reputational risks they face in today’s increasingly hostile digital landscape. Partnering with an experienced, credible cyber security provider will allow you to establish your organisation’s risk appetite and enhance your cyber security posture. Click here to arrange a call with one of our experts today.