Cybersecurity: Why your suppliers are still your weakest link

Mature organisations at the top of the supply chain have a duty of care to their suppliers - and that can help everyone.

Why you need to think about supply chain security ZDNet's Danny Palmer sits down with Karen Roby to discuss how attackers are increasingly looking to compromise targets by their suppliers. Here's why it's time to help your supply chain boost its security. Read more: https://zd.net/2J5SoJQ

Ensuring an organisations suppliers and supply chain are well protected is now one of the key features of cybersecurity strategy because your company's defences rely on suppliers further down the chain.

Hacking into a close but poorly-secured supplier is now how some of the most sophisticated threat groups start their campaigns. While organisations are doing the right thing by defending their networks, applying security patches and updates, and using two-factor authentication – it could all be for nothing if hackers can break in through the backdoor via their supply chain.

"What they're not currently doing is seeing third-party connections to their network as untrusted. They're very much seeing those as trusted networks and you should assume you should need to defend a connection until you have reason not to," Paul Chichester, director of operations at the National Cyber Security Centre (NCSC), told ZDNet.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

It sounds simple in practice, but for many small businesses the reality can be trickier: the organisations might not have staff with the expertise required to correctly apply updates, or maybe they don't even understand that the risk is there – perhaps they just don't think they're big enough to be considered a target for hackers.

But that's wrong: if attackers suspect the company has a trusted relationship with their real target, they'll go all out to break into the supplier – and that's going to be relatively simple if the organisation has minimal security in place due to lack of budget or lack of awareness.

For Chichester, there's an answer to this: work with your smaller suppliers to boost their security.

"Do as much as you possibly can to work with your suppliers, supply chain and partners to help them improve their security," he said.

Defending your own network is a good first stage, but Chichester explained that some of the most forward-thinking companies have realised they need to take a hands-on approach to their suppliers too, in order to have the best chance of successfully stopping attacks.

"There are organisations at the top of the supply chain, the mature organisations out there think they've got a duty of care to the people that they connect to. That's a really positive and helpful approach," he said.

"We see companies who've spent many millions defending themselves realise that's actually just the first stage and actually investing further down the supply chain is the next".

The boards of large organisations might wonder why they should cover the cybersecurity costs of other businesses, but if they "aren't willing to be mature and recognise that them being more secure is going to cost," Chichester said, then defending the perimeter from ever-more sophisticated hacking groups is "a really difficult challenge".

Sharing the problem, therefore, makes protecting cyberattacks easier for everyone: the large organisation can have confidence that their contractor has a secure network, while the supplier gains additional security at a reduced cost, both helping the relationship with the client and boosting the cyber resilience of the organisation as a whole.

"Maturity in the supply chain is recognition that this is a shared problem. The most mature organisations take a really positive approach to that and recognise they've got a duty of care to the companies that supply them," Chichester said.

"Organisations are far better at defending themselves so adversaries have to find a better way through that and they'll continually look for the weakest away in. Our job is to get ahead of that and do something about it and try to get people to see that as a critical issue."

SEE: 10 tips for new cybersecurity pros (free PDF)  

In the three years since the NCSC opened its doors, it has provided advice to critical infrastructure, corporations, public sector bodies, small-and-medium-sized businesses and the general public in an effort to improve the country's resilience against hackers – and the organisation believes the message is getting through.

"The last few years have been much more about positive action by companies to improve their security – companies that were in the firing line have actually taken on board that they need to invest in cybersecurity," Chichester said.

However, he and the NCSC are also aware that this is just the start of the battle, because as companies improve their defences, cyber criminals will attempt to find new methods to conduct attacks.

"The adversary is never going to give up, they're going to change their tactics and we have to move further down the chain and think about how do we protect those smaller organisations that aren't as well protected," Chichester said.

READ MORE ON CYBERSECURITY