Supply chain risk management is a crucial part of an overall enterprise cyber risk management approach. As Leonardo has previously described, the supply chain is often overlooked in the security assurance process.
Where organisations do think about security in their supply chain, the general working assumption is that risk flows up the supply chain to the ultimate service or capability delivery organisation:
Figure 1. Traditional view of risk within supply chains
This approach overlooks the risk associated with customers of a service. Customers interact with services and capabilities in a variety of ways, and many of these can present a cyber risk. Unlike suppliers, customers are often not held to specific security standards as the flow of contracts is in the opposite direction.
A thought-through approach to managing risks associated with customer interactions is crucial so that customer relations, and therefore ability to drive business, is not damaged or hindered in the name of security.
Customer Supply Chain Risk
Increasingly, organisations are offering customers more direct ways to access their products or services. Customer portals are an excellent example of this, seen across a variety of industries where suppliers offer web procurement stores or managed service dashboards.
Leonardo’s ARCHANGEL™ Cyber Incident Response Team recently assisted a client whose customer had experienced a cyber security breach originating from malware, which was actively exfiltrating website credentials stored in web browsers. Those credentials included usernames and passwords to a web portal offered by the client to its customers.
The risks posed to organisations offering customers access to their systems shared with other customers, bring into question the level of confidence imposed on customers at the point access is given, and the trust those customers have going forward. The web portals themselves can be technically secured, but if unauthorised access is gained, fraud by misrepresentation on these platforms is easily achieved and can be used to exploit for financial gain or disclosure of confidential information, which can be further exploited by adversaries.
Managing Customer Risk in Supply Chain
In order to fully understand and manage the risks to supply chain, in addition to looking at suppliers who hold sensitive information and provide critical services, organisations must also look at the way in which customers interact with their services and the security controls in place to manage the associated risks. Those responsible for organisational security should:
Understand the risks associated with customer interactions
How do customers engage with your services and what are the risks associated with those interactions?
Implement governance controls to manage the risks associated with customers through life
What controls are in place to manage these risks? For example, are there defined standards to which you expect connecting organisations to meet, and are these enforced and tested?
Include customers in threat intelligence and security monitoring activity
It is important to understand customer interactions in the context of your organisations threat landscape. For example, where a particular customer or customer’s sector is targeted in adversary campaigns, are there implications for your services sector?
Consider and include customers when developing and testing incident response processes
If or when your direct customers suffer a cyber incident, it is important that agreed processes are in place to allow an appropriate response. Should you require your customers to inform you of a breach? For example, should you alert other customers on a platform to a potential breach when one customer reports a breach?
Further information
For further information about supply chain management, as part of an overall enterprise cyber risk management approach, please contact our cyber security team on ukcyberservices@leonardo.com.