This article discusses how network immunisation theory might hold the answer how to secure our increasingly complex digital supply chains from cyber attacks by focusing on hardening the security of the most important 'nodes' in this vast ecosystem of interconnected organisations and service providers.
Every organisation today is digitally connected to hundreds of others through direct or indirect supplier and vendor relationships in vast digital supply chain ecosystems. Mitigating the cyber security risks emanating from each digital connection seems impossible, but network immunisation theory offers a potential solution. By focusing on “immunising” key suppliers within these extended and intricate networks against cyber attacks, supply chain communities can work together to minimise the risks for every organisation in the ecosystem.
Organisations worldwide face a constant threat from increasingly well organised criminal networks and state-sponsored threat actors. These criminals are using sophisticated tools and techniques to target data and systems through the weakest links in complex digital supply chains.
Even the smallest business today is digitally connected to potentially hundreds of third-party suppliers and vendors, either directly or indirectly through any of the many service providers connected to these suppliers in turn. Monitoring and assessing the security status of all these supply chain connections is extremely challenging, particularly given the lack of visibility companies have into their extended supply chains. A vulnerability that provides a cyber-criminal with an entry point to target your own organisations could sit anywhere in your vast supply chain ecosystem.
Simple one-off, point-in-time risk assessments of suppliers are now ineffective at addressing the cyber security threats within our digital supply chains. A potential solution to the challenge may be found in network immunisation theory. This is the theory that the security of entire networks can best be hardened against unwanted intrusion by identifying and immunising the key nodes in that network that could pose the greatest risk. In a digital supply chain, these “key nodes” are the suppliers and vendors with the greatest influence on the network and the most connections with other parties within that network, and which could thus pose a concentration risk to the wider ecosystem.
It’s possible to imagine a future in which network immunisation can help transform supply chain security by focusing on securing key suppliers or vendors, rather than trying to monitor and secure every individual supplier separately.
Supply chains are essentially complex networks of interconnected organisations, which work together – either directly or indirectly – to deliver services or products. By visualising supply chains as intricately connected networks of suppliers, vendors and partners, we can understand the relevance of network immunisation in securing supply chains against cyber security risks.
Cyber security strategies that target and “immunise” key suppliers, or clusters of suppliers, rather than all individual companies, offer an effective and cost-efficient way to secure supply chains. By “immunisation”, we mean significantly reducing the probability of “infection”, i.e. cyber security breach, for a particular supplier or “key node”. Fortifying the security of these key suppliers can help prevent cyber-criminals breaching those suppliers and impacting or even gaining access to other organisations within a given supply chain network.
Different immunisation strategies can be used to identify the key nodes within your network that have the greatest influence on overall network security. These strategies include “degree immunisation”, which targets nodes that have the greatest number of connections, and “betweenness immunisation”, which targets nodes that have the widest range of connections across different communities in the network. Whatever method is used, identifying the right critical nodes is key to the success of any immunisation strategy.
In supply chains, the critical nodes will be those that have the greatest impact on the functioning of the whole supply chain. In your supply chain, think about the vendors or suppliers that, if compromised, would significantly impair your ability to continue with business as usual. They could be suppliers with the most connections to other nodes in your supply chain that are also connected to you, or suppliers that provide foundational components, expertise, infrastructure or systems that are critical to your product or service delivery, together with any of their own suppliers that contribute to these critical services they provide to you.
Rather than spreading security resources thinly across the entire supply chain, focusing your third-party and supply chain risk management efforts specifically on such key suppliers is a far more time- and cost-efficient use of resources.
As well as enabling resources to be allocated more efficiently, this network immunisation approach helps organisations respond more quickly to emerging threats. If your organisation is aware of how such key nodes in the supply chain, whether you are directly connected with them or not, might be affected by an emerging threat, then together with industry peers and partners of these key suppliers you can ensure that any incident monitoring, assessment and mitigation efforts focus on them. This raised vigilance means that any breach of these key nodes, or any critical suppliers to these nodes, can be quickly identified and communicated among all supply chain participants.
The challenge, then, is to identify these key nodes within your extended supply chain and work with other supply chain participants to immunise those critical suppliers by increasing security protections. Maintaining the security of key nodes will require continuous monitoring of their security posture and of any emerging vulnerabilities.
Risk Ledger has developed an approach to supply chain risk management that helps participants in a supply chain network to share information and collaborate with the security teams at their peers as well as at their suppliers. Risk Ledger transforms third-party risk management by onboarding and connecting your entire supply chain into an active defence network. Through a powerful, integrated platform, it allows organisations to instantly identify critical nodes and concentration risks, provides visual insights, and informs you of emerging threats.
It works like a social network. Each organisation creates a profile containing information about their business, security controls and other relevant risk areas. This profile is then shared with other organisations on the platform. By facilitating real-time data sharing among supply chain participants, Risk Ledger allows organisations to continuously monitor the security status of all of the suppliers, vendors and service providers in their network.
By mapping all of these connections, the platform provides a unique visualisation of the supply chain and reveals the interdependencies that exist between participants. This visualisation highlights areas where risks are concentrated in the network, so that risk management efforts can be focused on those areas. Suppliers associated with these areas of “concentration risk” are likely to be the key suppliers within your network that should be immunised to protect your wider supply chain.
Using the Risk Ledger platform, your security teams can work together with your suppliers’ security teams, as well as with peers across the industry, to bolster cyber security protections around key suppliers. Risk Ledger participants receive regular information feeds from the platform, alerting them to any changes in the security controls among any of their suppliers. This means that any vulnerabilities resulting from those changes can be quickly identified and addressed.
As the community of connected organisations using Risk Ledger grows, our vision is to integrate a new class of threat intelligence into the platform. Currently, gathering cyber security threat intelligence relies on finding evidence of cyber-attacks or vulnerabilities from external sources, or on the dark web (when it might already be too late to do something about them). At Risk Ledger, we want to improve threat intelligence by integrating participants’ cloud native security tools directly into the Risk Ledger platform. For example, if an organisation uses Crowdstrike, it should be plugged into Risk Ledger. If they are deployed on AWS, we should plug in the AWS security hub. By doing so, we can combine the power of all participants’ first-line security scanning tools to help detect attacks almost in real-time.
This collaborative cyber security defence system would provide real-time threat intelligence much more quickly than is possible today and would amount to creating the first digital SOC for the supply chain. The idea is that our platform will act like a radar, scanning cyberspace for incoming threats – and enabling the whole supply chain network to mobilise effectively to counter any attacks. In this way, all supply chain members gain greater immunity by being part of the community – so that if one organisation comes under attack, all others in the network can provide support and advice to protect them and secure the whole supply chain.
As we have discussed in this article, third-party risk management and supply chain security efforts should initially focus on those critical nodes in the extended supply chain network that, if breached, could cause the greatest amount of harm to the network.
It’s a fact that, whether we like it or not, our organisations are all linked to many others in today’s vast and interconnected digital networks, and so the responsibility for preventing cyber-attacks must be shared by all network members. Network immunisation theory demonstrates that organisations are much stronger defending against cyber-attacks together than they are in silos. This new approach requires security teams to shift from seeing themselves as isolated defenders of their organisation’s data and systems, to being part of a supportive and wider network, in which everyone is united in maintaining overall immunity to cyber-attacks.
Look out for future articles from Risk Ledger on how to advance third-party risk management to protect your organisation and its supply chain partners.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
