NCSC Supply Chain Cyber Security Guidance

According to a recent industry study, 45% of organisations have experienced a third-party data or privacy breach in the past 12 months. Consider some recent examples, and the impact those security incidents caused:

Toyota – financial and operational losses

In February 2022, Toyota shut down operations in Japan after a major plastic supplier, Kojima Industries, suffered a data breach. Kojima had remote access to Toyota manufacturing plants, greatly increasing Toyota’s risk. As a result of the temporary shutdown, Toyota suffered financial and operational losses.

SolarWinds – lawsuits, fines, loss of customer trust

Russian state actors hacked into the Orion software product which was then pushed out to SolarWinds customers as part of a series of regularly planned updates. This effort gave the cybercriminals access to thousands of company’s systems and data. SolarWinds is facing lawsuits, fines, congressional testimony and more, and will impact their customers’ trust in them for years to come.

Answer these key questions:

• Can your organisation remain resilient in the face of a supply chain cyber disruption?
• Can you identify the target of a cyber attacker? Is it data?
• Can you identify the most likely attack path for a cyber attacker?

If the answer to any of these questions is “no,” then you must assess the weak points in your cyber supply chain and build a plan to mitigate those risks.

Participants can include representatives from procurement and sourcing, risk management, security and IT, legal and compliance, and data privacy teams. The reason that so many teams should be engaged as part of the supply chain cyber risk management process is that each department tends to focus on the risks that matter to them.

IT security and privacy teams must determine what controls are in place to protect data and access to systems, if the supplier was breached, what the impact was, and if there is undue risk from fourth parties.

Procurement teams may want to if the supplier’s financial or credit history raises any concerns, or if the supplier carries a reputational problem with them.

Compliance and legal teams will want to know if the supplier has been flagged for data privacy, environmental, social and governance, bribery or sanctions.

Risk management teams will want to know if the supplier is in a region prone to natural disasters or geo-political instability.

First, establish a RACI matrix to define who in the organisation is:

• Responsible for managing risks
  Accountable for results
• Consulted with
• Kept informed about the process and results

Finally, gain buy-in from senior executives and the board by:

• Presenting a consolidated view of current risk exposure to the organisation from the supply chain
• Communicating current risk status and reduction efforts
• Identifying where exec support is needed

A common way to categorise risk is through a “heat map” that measures risk on two axes: Likelihood of occurrence and impact to operations. Naturally, risks that rate high on both scales (e.g., the upper-right quadrant) should be prioritised higher than risks that rate lower.

Prior to creating the supplier’s security profile, consider the inherent risks they expose the company to. Consider this framework when calculating inherent risk:

• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties (to avoid concentration risk)
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

Using the insights from this inherent risk assessment, your team can automatically tier and profile suppliers; establish specific contractual clauses to enforce standards; set appropriate levels of further diligence; determine the scope of ongoing assessments; and define remediations in the case of non-compliance.

For tracking compliance with security requirements, consider standardising assessments against Cyber Essentials, ISO, or other commonly-adopted information security control frameworks.

Consider requiring employees responsible for supplier relationships to achieve individual security certifications, or support the organisation’s Cyber Essentials or ISO 27036-2 certifications.

This guidance requires organisations to be aware of risks at every stage of the supplier lifecycle, including:

• Conducting pre-contract due diligence by gaining cybersecurity insights or data breach history on potential suppliers prior to making selection decisions
• Scoring and categorising suppliers so you know how to triage them and what ongoing due diligence is needed
• Validating assessment results with real-time cyber monitoring data
• Centrally tracking all contracts and security-related contract attributes
• Measuring supplier effectiveness, including KPIs, KRIs, and SLAs against compliance measures to make sure those vendors are meeting contractual requirements
• Winding down relationships in a way that ensures contract adherence, data destruction, and that final items are checked off

Conduct supplier cybersecurity assessments at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually). Ensure that assessments are backed by workflow, task management, and automated evidence review capabilities.

Then, continuously track and analyse external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources should include: criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; and data breach databases.

Correlate all monitoring data to assessment results and centralise in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

Centralise the distribution, discussion, retention and review of vendor contracts so that all applicable teams can participate in contract reviews to ensure the appropriate security clauses are included. Key practices to consider in managing supplier contracts include:

• Centralised storage of contracts
• Tracking of all contracts and contract attributes such as type, key dates, value, reminders and status – with customised, role-based views
• Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews
• Centralised contract discussion and comment tracking
• Contract and document storage with role-based permissions and audit trails of all access
• Version control tracking that supports offline contract and document edits
• Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

Start by determining the different between key performance indicators (KPIs) and key risk indicators (KRIs) and how they are related.

• Key Performance Indicators (KPIs) measure the effectiveness of functions and processes.
• Key Risk Indicators (KRIs) indicate how much risk the organisation faces and which risk treatments to apply.

When it comes to measuring KPIs and KRIs, categorise them like this:

• Risk measurements help to understand the risk of doing business with a supplier, as well as associated mitigations
• Threat measurements overlap somewhat with risk and give a more complete and validated view risk
• Compliance measurements define whether suppliers are compliant with your internal controls requirements
• Coverage measurements answer the question, “Do I have full coverage of my supplier footprint and are they tiered and treated accordingly?”

Then, be sure to tie results back to contract provisions to provide complete governance over the process.

Finally, ensure your team is fluent in understanding what type of information the board should see. This approach should enable your team to:

• Present a consolidated view of current risk exposure to the organisation from the supply chain
• Communicate current status of critical suppliers supporting major company efforts
• Show inherent and residual risk from threat intelligence sources to demonstrate progress in reducing risk over time
• Identify where executive support is needed

Continuously review the organisation’s supply chain cybersecurity program
at every stage of the supplier’s lifecycle. Key areas to review include:

• Roles and responsibilities (e.g., RACI)
• Supplier security profiles
• Risk scoring and thresholds based on the organisation’s risk tolerance
• Assessment and monitoring methodologies based on third-party
  criticality
• Fourth- and Nth-party involvement in delivering critical services
• Sources of continuous monitoring data (cyber, business,
  reputational, financial)
• Key performance indicators (KPIs) and key risk indicators (KRIs)
• Governing policies, standards, systems and processes to protect
  systems and data
• Compliance and contractual reporting requirements against
  service levels
• Incident response processes
• Internal stakeholder reporting
• Risk mitigation and remediation strategies

Continuously track and analyse external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Correlate all monitoring data to assessment results and centralise in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

Monitoring sources should include:

• Criminal forums; thousands of onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases
• Public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
• Financial performance, including turnover, profit and loss, shareholder funds, etc.
• Global news sources
• Politically exposed person profiles
• Global sanctions lists

Develop remediation plans with recommendations that suppliers can follow to reduce residual risk. Provide a forum for suppliers to upload evidence and communicate on specific remediations with a secure audit trail for tracking remediations to a close.