Explainers & Guides
How we make it easy to comply with EBA guidelines and DORA
Given the complexity of modern digital supply chains and the difficulty of assessing the security posture of all your third-party suppliers, it’s essential to focus attention on those suppliers that pose the greatest potential risk to your organisation. In this article, we recommend an approach for classifying your suppliers according to their criticality to your business – enabling you to triage your supply chain for more targeted and effective third-party risk management.
Supply chains have become one of the leading sources of security breaches for organisations worldwide. Digitalisation means that organisations of any size can now connect easily with suppliers, partners or clients anywhere in the world. However, being digitally connected to so many third parties – and by extension all of their suppliers and partners – exponentially increases the cyber security risks to your business. It’s no longer enough simply to take care of your own cyber security. The safety and integrity of your data and systems now relies on the security postures of every organisation in your supply chain.
That means supply chain risk management is more important than ever – and more complex. Third-party risk management involves assessing the security processes and systems of your suppliers. But given the scope and complexity of modern supply chain networks – particularly for large organisations with hundreds or even thousands of third-party suppliers – CISOs need a way to identify the suppliers or vendors that are most critical to their business.
Triaging your supply chain can help you to focus your risk-management efforts on those suppliers or vendors that pose the greatest risk to your data, systems and business operations. There are three key factors to consider when classifying your suppliers:
How important is the supplier to the every-day operation of your business? Can your business function without them? What is the supplier’s responsibility to you? How would the unavailability of their products or services impact your business?
There have been many incidents in recent years when an attack on a critical supplier has caused significant financial and operational damage to its clients. In 2023, for example, financial software provider ION was targeted by a ransomware attack, in which criminals locked the company’s data and demanded payment to release it. The attack affected the ION cleared derivative platform, used by many banks, hedge funds and brokers, which impacted trading operations in the EU and US.
Consider which suppliers have access to your, or your customers and clients, data. What type of data can they access? Is it confidential or sensitive? Does it include protected health information or personally identifiable information (PII), such as addresses and dates of birth? Classifying your data according to sensitivity enables you to identify which suppliers pose the most risk, due to their access to that data.
If data is lost or stolen through a cyber security breach, it can have devastating impacts. One such high-profile data breach was the exploitation of the MOVEit file-transfer software, used by thousands of organisations worldwide. This precipitated a wave of cyber attacks and data breaches that impacted more than 2,500 organisations and more than 60 million people.
Think about which suppliers or vendors have direct access to your IT systems. How embedded are they in your business? Any cyber attack on these suppliers could give criminals a way into your systems through onward attacks. That means they could exfiltrate data, change access rights and passwords, grant permissions and alter vital operational systems.
Hijacked software updates are one of the most common forms of supply chain attack. There have been several high-profile cases recently, including the attack on the SolarWinds Orion platform. A “backdoor” programme was injected into the Orion IT update tool and was inadvertently downloaded by 18,000 customers. A similar attack on ASUS in 2018 took advantage of an automatic update feature to connect users to a domain controlled by hackers.
The classification of suppliers we recommend above correlates with the well-recognised CIA Triad – Confidentiality, Integrity and Availability. These three elements of this well-known data protection model provide a useful basis for corroborating the classification of your suppliers and other critical third-parties.
Confidentiality relates to the privacy and security of your sensitive information, and how you prevent unauthorised access. Organisations need systems in place to ensure that only the right people and suppliers have access to the data they need, protected by strong authentication and validation processes.
Integrity relates to the accuracy and completeness of data, and your ability to prevent it being corrupted. Organisations need to ensure data can’t be tampered with or modified, both in terms of where it is stored and when it is transmitted to others. It requires processes to prevent hackers intercepting data as it flows both within your organisation and between your organisation and your suppliers.
Finally, the availability pillar relates to your ability to access the information you need, when you need it. Consider how you would be impacted if a supplier suffered a cyber security breach, meaning you couldn’t access key data. Assess your interdependencies with suppliers and your reliance on them for data access. Think about mitigations to ensure business continuity if key suppliers are compromised.
According to UK government research, most enterprises only manage to carry out risk assurance on around 30% of their third-party suppliers. That figure falls to just 10% for smaller organisations. Given those low percentages, it’s vital that any efforts at third-party risk management are focused on those suppliers that pose the greatest potential risk – because of their criticality to your business and their access to your data and systems.
Focusing your resources on ensuring the security of those critical suppliers is an important first step in effective third-party risk management.
Look out for future articles from Risk Ledger on how to advance third-party risk management to protect your organisation and its supply chain partners.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
