Many companies find it difficult to manage their supply chain end-to-end. It is often complicated enough to get your own IT resources under control. It’s logical that you also worry about whether your subcontractors’ affairs are in order. And in return, your subcontractors must have trust in the parties they work with. The only solution is good visibility of all IT resources across the chain. But how do you achieve this?

CISOs and CEOs breathe a sigh of relief when a cybersecurity breach affects another company and not their organization. “Phew, it’s time to dance again!” The relief is likely to be short-lived as hacks and ransomware attacks follow each other at a rapid pace. In addition, you may be more vulnerable than you think – for example, due to negligence on the part of the partners you work with. Because many companies hardly know what the security approach and cyber hygiene of their business partners are.

Just consider which third parties you have relationships with for your IT: How many different SaaS packages do you use? Which consultants support you? Who processes your data? How many external APIs does your IT department work with? Have you ever outsourced software development? How many companies do you order hardware from? A vulnerability in just one of these companies could also cause problems for your company. The famous SolarWinds incident proved this.

When companies investigate their partners, it all too often happens after an incident. In addition, it often remains a single check rather than regular checks. The answer to the question “Was your environment running the infected version of SolarWinds?” only talks about the past and says little about the security policy of this partner. And certainly nothing about their possible defense against a later incident. After all, you don’t know whether a new supplier will be properly vetted upon onboarding, much less whether they will continue to regularly review that supplier.

Visibility is the key word

Even companies with a certain level of cybersecurity maturity struggle with this problem. Every company has to ask itself the same questions: Who are our suppliers, how do they use our data, how carefully do they handle their hardware and software?

A first step is to carry out this inventory yourself: What IT resources do we have in the company? What is running on our hardware? How dependent are we on third parties? Unfortunately, many companies don’t even have answers to these simple questions. A global study by Tanium found that 94% of IT managers regularly discover endpoints that they did not know were on their network.

You need to extend the same visibility of your own hardware and software to your suppliers. They must also be able to provide a comprehensive and accurate inventory of all their endpoints and the software versions installed on them. Additionally, they must demonstrate the ability to patch all of these endpoints as soon as an update is available. However, this inventory does not stop there. A subcontractor must also be able to explain its approach to threat modeling, secure software development, its security architecture, etc. In this regard, the provisions of the ISO 27001 standard are a good guide to know what to ask your subcontractors. And that’s not a little.

Step by step to a safe environment

In addition to creating and carrying out this inventory, it is advisable to define minimum requirements and include them in contracts. By doing this, you create a more consistent, data-driven alternative to the arbitrary spreadsheets that businesses often use today.

Here are some other ways to protect your supply chain:

• Involve security and risk teams as early as possible in the due diligence process for new suppliers. Make your requirements dependent on how critical and sensitive the services provided are.
• Conduct regular security certifications and adapt these measures to the business-critical nature of the services provided.
• Conduct comprehensive threat modeling and risk assessments to better understand who your key adversaries are, where and how they can strike.
• Make sure your suppliers have a clear process for reporting violations.
• Request more information about how your suppliers secure their software development process: How are their developers trained and certified in application security? What methods are there for static and dynamic analysis?

Securing your supply chain is a complex task that requires discipline and persistence. By following as many of the steps above as possible, you can take some important steps. And you reduce the likelihood of your company being negatively reported in the news.

This is a post from Wytze Rijkmans, Regional Vice President of Tanium. Further information about the company’s services can be found here.