Why High-Reliability Organizations Evaluate the Threat Potential of Suppliers

Cyber attacks tend to penetrate the attack surface using one of just a few initial attack vectors:

• Phishing e-mails (80%).
• Abuse of trust relationships.
• Web application session hijacking.

Sometimes the easiest way into a large and well-protected organization is through compromising a trusted third-party, such as a key supplier with less secure practices. If you are really good at security awareness, application security, and network segregation, it may be easier to exploit your trust with a supplier instead. How do the best in class organizations deal with this type of risk?

Your internal security practices may be good – but how does that help if an attacker can abuse a trusted supplier with a smaller degree of organizational hardening to gain access to your systems? Supplier qualification is a key risk management activity – also in the cybersecurity domain.

Qualify Your Suppliers

Every professional procurement organization already does supplier qualification. They tend to ask for ISO 9001 certification (quality management), they do credit and financial solidity check (you don’t want your supplier to go bankrupt before delivering the crucial goods), and so on. And those organizations that are the most security-aware include security related checks in this process. A quick informal survey on Twitter shows that most people don’t do this (and the result is quite biased – most of the respondents here are IT pros, not “normal people”). A whopping 44% says that they don’t have any process for evaluating the security implications of their supplier selection!

Håkon Olsen@sjefersuper

What is your current process for evaluating the security implications when selecting a supplier to your firm? #infosec#supplychainrisk

3:17 AM - 20 Apr 2017

44% - We don't have one

21% - We go by reputation

29% - We have a checklist

6% - We require certificates

Factors to Consider

There are many ways to qualify a supplier. You might want to do a full due-diligence audit, require ISO 27001 certification, and so on – but then it will most likely be very hard to procure goods as most suppliers don’t have this mature processes in place – unless you deal in very special markets. So what should you have a look at, at the initial state? Here’s a quick list of some important factors:

• The business sector(s) the supplier is active in. The sector may be of interest to some actors, and less so to others.
• The size of the firm. The medium sized businesses tend to be the ones most often targeted by cyber attacks. Smaller businesses to a lesser degree, but they often have very weak controls. Large enterprises are less attractive targets because they typically have better controls.
• Political risk: is the company heavily involved in business relationships in regions with high political risk? Studies indicate that companies in countries with a higher degree of political risk are attacked more frequently than those in more politically stable regions.

Creating criteria based on these factors should give you some relevant hooks to use for supplier qualification. Depending on the nature of the procurement, you may choose to disqualify a supplier, to introduce more controls in the contract if the risk is perceived as higher, or also to do a more in-depth review before making a decision (such as asking to review their policies, etc.).

The outcomes of doing this in a reasonable manner are:

• Better risk management for your firm – reduced likelihood of being stung by the third-party bee
• Driving security culture at your own firm, tying security practices to business workflows in an obvious way, thereby making benefits less mysterious
• Helping suppliers become more security-aware and resilient – thereby creating shared goodwill that will strengthen the supplier relationships