Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Supply Chain Cybersecurity – the importance of everyone
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach

Supply Chain Cybersecurity – the importance of everyone

4 years ago Tripwire Guest Authors
Supply Chain Cybersecurity – the importance of everyone

This week, I spoke with a new client who told me all about how they are looking forward to addressing a number of internal issues surrounding their IT systems. They explained that over the last 12 months, they repeatedly had issues of delays in service and outages, which had affected their business.

Discussing this further, I explored their relationship with the supplier and asked what due diligence they had performed prior to working with them. Their response was quite typical and also quite worrying.

“Well, we’ve used them since we first started the business a couple of years ago, so we’ve kinda grown up together.”

I fully support the idea that we shouldn’t change for change’s sake, but we also need to get closer to our suppliers, especially when these suppliers provide such critical services.

Knowing you, knowing me.

One of the key components of ISO27001 has always been that supplier relationships are considered and managed effectively. In the new Annex A, controls for ISO27002:2022 have also been expanded to incorporate new requirements. ISO27001:2022 therefore requires;

  • Information security in supplier relationships.
  • Addressing information security within supplier agreements.
  • Managing information security in the ICT supply chain.
  • Monitoring, review and change management of supplier services.

Recognising that Cloud has now become a major supplier for many organisations, the standard now includes a new requirement for “Information Security for the use of Cloud Services” (A5.23).

If the payment card standard, PCI DSS is more of a concern for you, then you should know that the tenth requirement of the standard requires that you “Log and monitor all access to system components and cardholder data”. This means more than monitoring your own access to network resources and cardholder data.

I often ask to see the service agreements for organisations who hold a support contract with an IT provider, because I want to understand the level of access that the organisation has granted to that third party.

For example, does the IT provider have complete and continuous access to their clients’ networks for support purposes? Or do they have to request access? In most situations, it makes perfect sense to allow the IT provider complete control of the network to support the client. But this then exposes the client to additional risks from the possibility of issues affecting the supplier, which could spread into their systems.

Not Just IT

Before you think this is just an attack on IT suppliers, I want to be clear that whoever your critical suppliers are, you need to be assessing their security capabilities based on the risk to your organisation.

For obvious reasons, the IT Managed Service Provider (MSP) is often a primary focus. But who else do you rely on to run your business? What access to your data do they have, and can this pose a threat to your business or reputation?

IT’s getting hot in here!

Back in 2006, Dell Corporation, the world’s largest computer manufacturer at the time, had to recall millions of laptops due to fears that they could catch fire. It was considered to be the consumer electronic industry’s largest product recall, with more than 4 million batteries identified as potential hazards. 

Since then, there have been countless stories of Dell laptops bursting into flames and causing fires. Whatever the cause, what is known is that the batteries were supplied to Dell by a third party manufacturer. This is a very tangible example of a supplier having a very real-world impact on their client’s reputation (Dell).

Cyber Due Diligence

It’s always returning to the basics with information security, and remembering that the central tenet of the discipline is to ensure:

  • Confidentiality of data.
  • Integrity of data.
  • Availability of data.

With this in mind, when was the last time you completed a review of your suppliers against these three principles? 

When you allow a supplier into your business, you are trusting that they are a safe and secure business. But how do you know? Have you performed thorough due diligence?

This is important, whether you are hiring a cleaning company, or looking for a supplier of goods or services, including outsourced IT and cybersecurity.

Have you asked them what screening processes they have for their staff? How do they monitor performance? What do they do in relation to security? How do they guard your data? Who has access to your data? Who is your point of contact? What are the Service Level Agreements for any issues? How do they handle data breaches?

These are all sensible questions to ask of any supplier. But, in addition, for your data centres and cybersecurity companies, you must ask more searching questions.

Here are questions you should ask of your data centre hosting company today:

  • What Information Certificates do they hold?
    • Are they UKAS certified to ISO27001? If so, what is the scope?
    • Are they fully certified to the 12 requirements of PCI-DSS?
    • Are they certified to ISO9001? 45001? 20000?
  • What other relevant certificates do they hold? (if you deal with the USA, SOC may be needed).
  • When was the last Penetration Test, and were all findings remediated?
  • Have there been any data breaches in the last 12 months?

These are your initial questions, just to get you started. Even if you use one of the large commercial services, their certificates of compliance can easily be obtained through a simple, search, or by speaking to your account representative.

No such thing as 100% secure

Third-party security also factors into some of the privacy regulations as well.  For example, The California Consumer Privacy Protection Act (CCPA), as well as GDPR require third-party security. GDPR states this in Article 24:

“Where processing is to be carried out on behalf of a controller, the controller shall use only processors (suppliers) providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

If you rely on suppliers to support your business, you need to know they are going to be there when you need them most, and that they are protecting your environment to the highest level possible.

Information security professionals often say that there is no such thing as a 100% secure system. The more we rely on external providers, the truer this statement can become.  Security isn’t just for your organisation. It extends as far as your entire supply chain. The best way to protect it is with a close examination to make sure that the links are as tightly bound as possible.

About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at ConsultantsLikeUs and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from international security standards such as ISO27001 Dark Web to Cybercrime and CyberPsychology. He is passionate about providing pragmatic advice and guidance that helps people and businesses become more secure.

You can follow Gary on Twitter here: @AgenciGary

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

The post ” Supply Chain Cybersecurity – the importance of everyone” appeared first on TripWire

Source:TripWire – Tripwire Guest Authors

Tags: Cloud, Compliance, Critical Severity, Encryption, Finance, Medium Severity, Privacy, TripWire

Continue Reading

Previous Conti Cybercrime Cartel Using ‘BazarCall’ Phishing Attacks as Initial Attack Vector
Next Researchers Warn of Ongoing Mass Exploitation of Zimbra RCE Vulnerability

More Stories

  • Cyber Attacks
  • Malware

Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures

4 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Malware

3 Reasons Attackers Are Using Your Trusted Tools Against You (And Why You Don’t See It Coming)

5 hours ago [email protected] (The Hacker News)
  • Cyber Attacks

Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

9 hours ago [email protected] (The Hacker News)
  • Data Breach

Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms

10 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Vulnerabilities

TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks

1 day ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Vertex AI Vulnerability Exposes Google Cloud Data and Private Artifacts

1 day ago [email protected] (The Hacker News)

Recent Posts

  • Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass
  • Block the Prompt, Not the Work: The End of "Doctor No"
  • Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures
  • 3 Reasons Attackers Are Using Your Trusted Tools Against You (And Why You Don’t See It Coming)
  • Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT