Supplier Due Diligence: An Introductory Guide

In today’s digital age, organisations are more interconnected than ever, relying heavily on suppliers and third-party vendors to provide essential services and products. While this interconnectedness is great for operational efficiency, it also introduces significant cybersecurity risks. Undertaking appropriate due diligence on suppliers helps mitigate these risks and protect the organisation’s data.

In this comprehensive guide, we will explore what you should consider when conducting supplier due diligence.

Understanding Supply Chain Risks

Before looking at how to undertake Due Diligence on Suppliers, it is useful to understand the types of risk a supplier can introduce.

  • Vulnerabilities:
    Software vendors may have vulnerabilities in their products that provide an entry point into your organisation’s network. At best, if the vendor provides fixed versions of the software quickly, your IT team will be kept busy installing them; at worst, the company goes out of business or abandons the product, leaving a ticking time bomb inside your network.
  • Excessive access and inadequate security practices:
    For any supplier with access to your network, your company security may be weakened to that of the weakest supplier. While MSPs and IT support companies will naturally have widespread administrator access to your systems, other suppliers may have more access than you may think. Maybe your IT team once set up remote access for a vendor to install some bespoke software that now means they can hop on to the server whenever they choose, or the HVAC maintenance company embeds a remote access VPN so they can monitor the system performance while also inadvertently gaining access to the rest of your network as well.
  • Poor data safeguarding:
    Once data has left your company networks and systems and is being stored and processed by supplier systems it is outside the security controls you have in place. Will they be as robust in securing and protecting your data as you would be?
  • Malicious Actors:
    If you’re developing software in-house, it is highly likely you’ll be using open-source software extensively. Exactly who is writing the software you depend upon and what their motives are is likely to be completely unknown. You may accidentally pick up a package or library that includes malicious code – potentially stealing access keys or using CPU to mine Crypto Currency.
 

Which of these risks is relevant will vary immensely based on the nature of the services being provided by the supplier. Map your supply chain to understand the relationships and dependencies between suppliers and the services they provide. Assess the criticality of each supplier’s role in your operations to prioritise security efforts and focus on those that introduce the most risk.

Establishing Control Measures

Once risks are identified, control measures to mitigate them must be established. Firstly, integrating cybersecurity considerations into procurement processes ensures that risks from new suppliers are considered and addressed. Auditing suppliers or obtaining evidence of independent external audits can provide confidence security is being considered and taken seriously, and contractual clauses can place an obligation on the supplier to meet specific requirements.

  1. Procurement Processes:
    Integrate cybersecurity considerations into your procurement processes to ensure new suppliers meet security criteria and the risks introduced by new suppliers are understood.
  2. Contractual Obligations:
    Include specific cybersecurity requirements in supplier contracts to ensure adherence to security standards.
  3. Regular Audits and Assessments:
    Either perform in-house audits, or obtain evidence of external independent audits and penetration tests as appropriate for the risks.
 

What to Check?

Any assurance has to be appropriate for the type of data the supplier may have access to and the risk that may pose.  However, here is a list of things to consider when assessing suppliers.

1. Security Policies and Practices

  • Existence of Security Policies:
    Ensure that the supplier has documented security policies and procedures that align with industry standards and best practices.
  • Compliance with Standards:
    Check if the supplier complies with relevant cybersecurity standards such as ISO/IEC 27001, NIST Cybersecurity Framework, or SOC 2.
  • Data Protection Measures:
    Assess how the supplier protects sensitive data, including encryption methods, access controls, and data handling procedures.
 

2. Risk Management and Incident Response

  • Risk Management Framework:
    Verify that the supplier has a risk management framework to identify, assess, and mitigate cybersecurity risks.
  • Incident Response Plan:
    Ensure the supplier has a robust incident response plan in place and regularly tests it through drills or simulations.
  • Past Incident History:
    Review the supplier’s history of cybersecurity incidents and how they were managed.
 

3. Third-Party and Subcontractor Management

  • Subcontractor Policies:
    Check if the supplier extends its cybersecurity policies and standards to subcontractors and third parties.
  • Third-Party Audits:
    Verify if the supplier conducts regular audits and assessments of its third-party relationships.
 

4. Access Controls and Identity Management

  • Access Control Policies:
    Assess the supplier’s policies for managing and controlling access to their systems and data.
  • Multi-Factor Authentication (MFA):
    Ensure the use of MFA for access to critical systems and data.
  • Least Privilege Principle:
    Verify that the supplier follows the principle of least privilege, granting access only to the necessary individuals.
 

5. Secure Development Practices

  • Software Development Lifecycle (SDLC):
    Ensure the supplier follows a secure SDLC, incorporating security at each stage of development.
  • Code Review and Testing:
    Check for regular code reviews, vulnerability assessments, and penetration testing.
  • Software Bill of Materials (SBOM):
    Request an SBOM to understand the components and dependencies within the software.
 

6. Physical and Environmental Security

  • Physical Security Controls:
    Evaluate the physical security measures at the supplier’s facilities, including access controls, surveillance, and secure areas.
  • Environmental Controls:
    Check for measures to protect against environmental threats such as fire, flood, and power outages.
 

7. Employee Training and Awareness

  • Cybersecurity Training Programs:
    Verify that the supplier provides regular cybersecurity training and awareness programs for employees.
  • Phishing and Social Engineering Training:
    Ensure employees are trained to recognize and respond to phishing and social engineering attacks.
 

8. Legal and Regulatory Compliance

  • Regulatory Requirements:
    Confirm that the supplier complies with all relevant legal and regulatory requirements related to cybersecurity and data protection (e.g., GDPR, CCPA).
  • Contractual Obligations:
    Ensure that the supplier’s contracts include clear cybersecurity requirements and obligations.
 

9. Continuous Monitoring and Improvement

  • Security Monitoring:
    Check if the supplier uses continuous monitoring tools and techniques to detect and respond to cybersecurity threats.
  • Continuous Improvement:
    Verify that the supplier has processes for continuously improving their cybersecurity posture based on new threats and vulnerabilities.
 

Conclusion

Effective supplier due diligence protects your organisation from supply chain risks. By understanding risks, establishing robust control measures, continuously checking arrangements, and striving for continuous improvement, you can enhance your cybersecurity resilience. Leveraging resources and guidance from authoritative bodies like the NCSC and CISA can provide valuable insights and best practices to fortify your supply chain security.

For more detailed guidance, consider reviewing the resources provided by the NCSC and CISA on supply chain security principles and practices, or Book a Call with one of our Cyber Security specialists.

 

Real-World Examples

Example 1: Target’s Data Breach

One of the most notable examples of supply chain risk is the Target data breach in 2013. Attackers gained access to Target’s network through a third-party HVAC vendor, resulting in the theft of credit card information from over 40 million customers. This incident underscores the importance of vetting the security practices of all suppliers, regardless of their perceived criticality to the core business operations.

Lessons Learned:

  • Third-Party Access: Limit third-party access to only what is necessary and monitor their activities closely.
  • Regular Assessments: Conduct regular security assessments of all third-party vendors to ensure compliance with security standards.
  • Incident Response Plans: Have robust incident response plans in place that include scenarios involving third-party breaches.
 
 

Example 2: SolarWinds Supply Chain Attack

In 2020, the SolarWinds supply chain attack affected numerous organisations, including several U.S. government agencies. Attackers compromised the software update mechanism of SolarWinds’ Orion platform, distributing malicious updates to customers. This sophisticated attack highlighted the vulnerabilities within software supply chains and the need for stringent security measures.

Lessons Learned:

  • Software Integrity: Ensure the integrity of software updates through digital signatures and verification processes.
  • Monitoring and Detection: Implement advanced monitoring and detection systems to identify unusual activities related to software updates.
  • Vendor Risk Management: Incorporate vendor risk management practices that include evaluating the security posture of software providers.
 

Additional Resources:

To further enhance your understanding and implementation of supplier due diligence in cybersecurity, the following resources provide detailed guidelines and best practices:

 
anthony.green

What are my SOC Options?

Running a Security Operations Center (SOC) can be a significant investment for any organisation. While the benefits of having a SOC are clear, it’s important to weigh the costs and benefits of running a SOC

Read More »