3 steps to supply chain resilience

Malicious actors are targeting your third- and fourth-party vendors, causing supply chain disruption and risk to your own network. Mitigate that risk by taking these actions.

supply chain / virtual network of connections
Thinkstock

The COVID pandemic has taught us a lot of things, one of which is that supply chain resilience matters a lot. Having a resilient supply chain in the business sense can be the difference between thriving under dynamic market conditions or experiencing critical business disruptions, including those caused by cyberattacks. These disruptions can not only have an impact on your revenue. but they also can impact your organizational brand and market reputation.

The modern business ecosystem is an increasingly complex web of relationships and exchanges of goods and services. Everyone is essentially someone else’s vendor. This point isn’t lost on malicious actors, as we’ve seen an increase in supply chain attacks, particularly in the digital domain.

Malicious actors have realized they can target a single service provider, vendor or software component and impact an exponential number of victims. This type of approach is far more efficient for them in terms of reach in targets and time it requires to have a massive impact. This increase in third-party and supply chain attacks coupled with the complex landscape of supply chain relationships leaves organizations struggling to implement a resilient approach to their third-party risk management efforts.

Implementing a resilient supply chain takes discipline and a coherent approach to supply chain risk management (SCRM). Follow these three steps to ensure a resilient supply chain for your organization, which includes understanding not only your third-, but fourth-party suppliers as well.

1. Validate vendors’ resilience plans

Many of the items in your “need to be resilient” checklist are provided by vendors. Do you know all the terms, and do they match expectations at both ends? As stated in Greg’s book “Cybersecurity and Third-Party Risk: Third-Party Threat Hunting,” everyone is someone else’s vendor (third-party, fourth-party, and nth-party) and relying on your vendor’s resilience plan without validation is a bound to backfire at the worst time. Also, third-party attacks have increased over 800% over the last two years, according to FBI statistics. These items can add up to a gap in many organizations' ability to be resilient; this level of planning can be a large effort as the complexity and size of the organization grows.

Systemically critical vendors, those your organization relies on to deliver your products/services to customers, deserve the focus for resilience. Once identified and inventoried, ask those vendors how they perform their resilience planning and testing. This check should be done with physical validation and not be a remote question and answer.

While it is tempting to trust the vendor and avoid the trouble, this is not the time to be outsourcing your resilience with a “phone it in” answer. It is essential to identify these critical vendors and include them in your own resilience testing and validation exercises. Whether it is table-top exercises or actual fail-over testing, collaboration with these vendors provides both organizations with the assurance of success in the event of a real occurrence.

Do not stop with these third parties. With systemically critical vendors, there is a further need to investigate their third parties (your fourth parties). Most companies use another party to assist or improve their own products and services to the end customers. Not checking how the third party does its resilience due diligence with your fourth parties will leave you just as vulnerable. Ask them what fourth parties they use to provide the products to your organization and follow up with how they get assurance on the resilience of those fourth parties.

2. Reduce concentration risk

As the inventory and validation of third parties is completed, another risk to resilience is likely to become apparent: concentration risk. This is where many services are performed in one location or with a single vendor. In today’s cloud world, it is often a concentration in a cloud service provider and a geographic location.

For example, many organizations on the East Coast of the United States using AWS will see a large concentration of their deployments in US East. This type of concentration risk is new and becoming more pronounced over time as the move to the cloud intensifies.

The solutions can be varied and allow an organization to spread the risk. First, ensure the fail-over region for the cloud service provider the vendor chooses has been tested for this exercise. Physically validate they are testing that their product can fail-over to the designated region and look for how long it takes them to do this work. Too often an organization will advertise an “immediate” fail-over on their products, but in practice it can be messy and cause loss in data or functionality.

Another approach, as you look to bring on new third-parties (or renew existing): Look for a way to deploy to another region than where your concentration risk is currently.  

Cyber incidents have been increased since the start of COVID-19. Remember. everyone is someone else’s vendor, meaning the increase in incidents translates into a direct increase in everyone's third-party incidents. Third-party incident management  assumes a breach has or will occur (with vendors). How are your plans designed for resilience around this activity?

First-party incidents, where your organization is directly attacked, are usually well-documented and have teams designated to identify, contain and mitigate. However, an incident at your third parties often impacts your ability to access customer data or connectivity to a systemically critical vendor. When contracts are being negotiated, ensure you get terms in for incident notification (no more than 24 hours from an incident) and require they provide an avenue of communication and transparency on what occurred.

3. Plan for third-party unavailability

Lastly, review what would happen if one or more of your systemically critical vendors becomes unavailable for an extended period. Resilience planning in the event of unavailability is often overlooked as “too difficult” or “far-fetched” to plan or predict. However, these types of events are more likely to happen given the aggressive nature of some of our cyber adversaries, advanced persistent threat (APT) actors in particular. We saw this in Colonial Pipeline and others, so it is not far-fetched.

This exercise starts with questions: If the vendor has a connection to your network, what is the impact of cutting that connection to lessen the risk of the incident traversing to your network? What are your manual options to process work? Can you process or perform the work with an alternate supplier, maybe at reduced capacity but processing, nonetheless.

Resilience is defined as “the capacity to recover quickly from difficulties” and this is especially important for organizations to test that ability of its vendors, validate that your systemically critical are capable of the resilience you expect and have an incident management program that will successfully handle third-party incidents.  

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.