If the Russian Bear Doesn’t Get You,Your Partner Will

Written By Dylan Winn-Brown

Are you aware of your supply chain make-up? Supply chains are needed to lessen the load of delivering your services and provide vital components, but do you know what’s going on?

Typically, many supply chains are as long as an alligator’s tail. They are constructed with the company only assessing the cyber security controls of the primary contractor. They hardly ever review the controls for the sub or sub-sub-contractors and on many occasions its these entities that are doing the heavy lifting. You may not consider your civils sub-sub-contractor or your MSSPs software provider as part of your chain, but they still require access to your sites and systems to deliver their part of the project.

Many of these companies, and sometimes individuals, are given excessive access rights. Or they are handed your data to handle or process with little or no obligations to meet any form of compliance.

Consider the number of high-profile vulnerabilities that have been exploited over the last couple of years (such as Solar Winds, Exchange, Log4J and Mitel). Your supply chain of primary contractors and their hidden supply chain is very much a risk to you.

Heightened cyber tensions between the West and Russia have seen an increase in attacks in both directions recently. A normal attack vector is to attack the weakest link in the chain, which can be in your alligator’s tail! Your supply chain isn’t just staff members of another company. It’s your outsourced systems, data lakes, data processor, software integrations and API’s; all need to be considered.

Some of this cyber tension is media hysteria. That said, such hysteria does distract you from your day job of ensuring that you have done your due diligence on your full supply chain.

You can understand and manage your risk if you:

1.    Know your supply chain fully. Don’t rely on the primary contract, dig deeper and establish if they are using sub-contractors

2.    If so, include these sub-contractors in your supply chain assessment and make sure you audit them too

3.    Standardise your approach of how your supply chain is assessed. Think about using recognised cyber security standards (such as the NIST Cyber Security Framework or ISO27001) as a method of proving their assurance

4.    Limit their access to landing zones in your environment

5.    Force them to use your systems to handle your data Inside entities that YOU control. Don’t leave them to make the decisions about the security of your data and systems. Ultimately you own the risk; they will simply walk away.

6.    And finally, don’t just do this once; continue to do it regularly.

If you’re aware of the make-up of your supply chain you can get control of the chain alligator tail that could leave you vulnerable.

If you want to know more then please drop me a line at hello@parabellum.uk.com

Paul Rose, Co-Founder, Parabellum Cyber Defence Ltd.

Edited by Kate Warwick at www.wordsavvy.co.uk

Dylan Winn-Brown

Dylan Winn-Brown is a freelance web developer & Squarespace Expert based in the City of London. 

https://winn-brown.co.uk
Previous

Parabellum Cyber Defence re-brands as Cyro Cyber
Next

Paul Rose interviewed for Internet Safety Day by Moblox.