Most organizations focus their security efforts on vital infrastructure and applications, which is undoubtedly important, but bad actors are increasingly gaining access via supply chains — especially digital ones. Consider all the software tools you use to do your job. Then think about all the other software your colleagues across the company might use. When you add in the software those third-party companies use, the potential points for a data breach multiply exponentially.
Cyber supply chain risk is a serious expanding risk that presents enormous potential for business disruption, from network outages and reputational damage to financial penalties and legal repercussions. The best time to pay attention to your supply chain was yesterday, but the important thing is getting focused today.
Take a look at how AuditBoard approaches supply chain risk below, then download Defending Against Cyber Supply Chain Risk in an Interconnected World to gain a better understanding of this risk area and must-know fundamentals for protecting your business.
Cyber Supply Chain Guiding Principles and Best Practices
It’s vital to think strategically about the third parties your organization relies upon and come up with a set of guiding principles for defending your supply chain. As AuditBoard’s CISO, I helped develop our organization’s guiding principles, which I’m sharing here. Your organization may have more or different principles; these can help jumpstart your thinking. In the following section, we’ll look at leading practices and key considerations for each principle.
1. Centralize Inventory and Source of Truth for TPRM
You can’t defend what you don’t know about. Having a comprehensive source of truth is TPRM table stakes — a dependency for everything that follows. It’s imperative to establish a formal program for identifying third parties and enumerating the risks they expose you to.
Best practices:
- Establish a complete, regularly updated third-party inventory.
- Stay connected with all the right stakeholders.
- Conduct initial discovery and risk assessment.
- Categorize vendors based on criticality.
2. Identify Key Controls Based on Risk Factors
Assessing third-party risks enables prioritization of key controls. By identifying the key risk factors for your supply chain partners, you can pinpoint relevant controls that can help you mitigate those risks, either within the third party or your organization.
Examples of key controls:
- Enforcing multi-factor authentication.
- Regularly rotating static credentials (e.g., passwords, tokens, keys).
- Requesting/providing Software Bills of Materials (SBOMs).
- Using digital signatures (hashing, checksums, code signing, image signing).
- Conducting regular business continuity plan (BCP) assessments.
3. Key Controls Must Be Regularly Audited
It’s not enough to ensure that key controls are in place and operating effectively on day one, when agreements are signed. It’s also critical to have a process for continuously monitoring and auditing those key controls, helping to (1) ensure they haven’t degraded and become less effective, and (2) verify that they remain appropriate if and when the nature of the third-party relationship and its risks have changed.
Best practices:
- Establish a risk assessment cadence based on risk level.
- Schedule reviews of third-party security practices and key controls based on risk levels.
- Perform periodic rediscovery with internal relationship owners.
- Perform additional assessments outside your normal cadence as needed.
4. Conduct Comprehensive Offboarding
Timely, thorough third-party offboarding has a massive impact on improving TPRM. Unfortunately, many organizations treat it as an afterthought. The push to innovate, build fast, and expedite impact often drives urgency around third-party onboarding, but there’s less urgency to offboard vendors or tear down integrations once they’re inactive or no longer useful. To increase the urgency, imagine being the victim of a third-party data breach — and then realizing you hadn’t worked with the vendor in over a year, so there was no reason for them to have your data.
Best practices:
- Be diligent and timely in third-party offboarding. Have a process in place.
- Establish a clear, comprehensive offboarding checklist.
- Clean house regularly. Periodically verify that inactive vendors have deleted data.
- Include a legal notice in your offboarding process.
- Anticipate likely impacts to your organization.
Given how interconnected today’s business landscape is, protecting your cyber supply chain has never been more critical. Get your copy of Defending Against Cyber Supply Chain Risk in an Interconnected World for more detail on key trends, principles, and leading practices.
