Supply chain management is becoming more and more important in the Netherlands. As a result of increasing automatization and the degree of information exchange between the different parties in the supply chain, supply chain partners, the need for good cybersecurity is increasing as well. A lot of companies, big and small, will discover that they are important, if not essential, to Dutch society in the near future.
This is the result of the European NIS 2 directive, which will have to embedded in Dutch legislation before mid-2024. One of the subjects in the directive is the attention paid to the supply chain’s cybersecurity. That means that, in addition to establishing your own cybersecurity, you will also have to assess the level of cybersecurity of your business partners. For NIS 2, but most importantly for your own security.
Just in time
How does ransomware enter a company? Currently, that is increasingly often through the supplier’s entrance. Because now that a lot of large organizations have strengthened their own cybersecurity, criminals are looking for weak links in the supply chain.
To do so, they happily make use of trends such as just in time production. A growing number of organizations is allowing suppliers direct access to their business systems, to see what and when they will have to supply. That saves time and manpower. Not just that, it decreases the chances of errors as well.
But if a cybercriminal can infiltrate such a vendor, their client is put in danger as well. Even if they have their own security in order pretty well.
Responsibility
These threats are growing so rapidly that there will now be intervened at the European level. Effectively securing the supply chain is becoming mandatory. Your vendor’s security from here on becomes your own responsibility as well.
Organizations that are found lacking in this regard can be punished with fines up to 10 million or more. In fact, executives can be held personally responsible.
That raises the question: what can you do to secure your supply chain?
Point of attention 1: restrict
To start things off: carefully consider what a vendor is allowed to do on your business network, and more importantly where. That is how you can minimize the risks. Just like with your own people, Zero Trust needs to be the starting point. No one is allowed access to data or network sectors that are not necessary to perform their duties.
So, make sure that there is a well-considered classification for all of your business data. Just as important is your network being separated into logical segments. Vendors are led to the data they need along the shortest possible way.
Point of attention 2: guarding
The second point of attention is guarding your network. A ‘visitor’ with malicious intent must be caught and stopped quickly.
Why? Imagine that you have outsourced the management of your firewall. If somebody else manages to obtain that service provider’s login credentials and adjusts the settings, they could enter unnoticed.
It is possible to protect your network with NDR (Network Detection and Response), possibly SIEM (analysis of logging data) as well. While doing so these systems must pay extra attention to vendors’ accounts activities.
Point of attention 3: agree
Thirdly, it is important to make strong agreements with vendors and lay those down in a contract.
About the data you are allowing access to and the way the vendor should handle it, for example. Is the data safe with them? Is it deleted timely? If they edit the data is, how is it returned to you?
How is the vendor given access? Can employees be authenticated through their vendor account? If you do need to create personal accounts for them, you must regularly review whether this is still necessary so their accounts can be closed when that is no longer the case. In addition the vendors must obligate themselves to report every and any data breach or cyberattack to you. This allows for you to activate extra protection.
The chances of these points missing in your current contracts are big. These matters will still have to be discussed and added in that case. It can be difficult to start such a conversation, but it is better to do so now than in the middle of a cyber crisis.
Point of attention 4: check
Agreements are important. Therefore they must also be upheld. Include a clause that forces vendors to regularly have their security reviewed by independent assessors, and have them share the assessors’ findings with you.
And have all points of contacts where vendors regularly enter ‘pen tested’ yourself: there must not be any weaknesses in these places.
Cloud providers
Suppliers are not just companies that deliver parts or manage systems: cloud providers like Google and Microsoft are considered as such too. The main difference is that you have to follow their rules instead of the other way around.
Not all cloud providers offer the same amount of possibilities for cybersecurity. With Amazon you will have to organize a lot yourself. But Google and Microsoft’s **services* require expertise in order to make use of them effectively. Under NIS 2 this becomes your responsibility as well.
ISO 27001
As you can tell: there is a lot to do. One and a half years is quite a short period of time for that. And not all of it is easy. Professional support is therefore recommended, especially when it comes to legal agreements on cybersecurity that have to be confirmed on paper.
Luckily the most recent version of the ISO 27001 standard for cybersecurity also pays attention to the supply chain. Due to increased threats it has now become more strict. In the past a pick-and-choose approach could suffice, whereas for all areas of attention it is now a matter of comply or explain. Having said all of this, it is almost certain that security auditors are going to be very busy.
But as said before: it is very much needed. Dealing with suppliers in a safe manner must really become a habit. Because NIS 2 protects our society. But the principles which it is based on protect your company.