Securing the supply chain: Embracing zero trust for digital trust
A supply chain is a system of organisations, people, activities, information, and resources involved in moving a product or service from supplier to customer. Most organisations are part of a supply chain. Supply chain relationships can be very complex, with many interdependencies. Supply Chain Management is an entire vast and complex subject in its own right; supply chain security is one facet and the influence of cyber security on this facet is an important, and growing, problem area. An integrated supply chain both upstream and downstream has access to pricing data, metrics, point-of-sale information, inventory flows, and enterprise system activity. This complexity creates additional cyber security risk to the supply chain. A cyber incident in a shipping, port, or logistics company could result in severe consequences, 90% of all goods are carried by sea at some time in the supply chain, notwithstanding go-political tensions as we see today or the global financial inflationary impact.
The National Cyber Security Centre created a useful guide to supply chain security, with layered principles as a structure. The first of these principles deal with the information gathering stage, to understand your risk. Then advises how organisations can gain control of your supply chain. Organisations need to consider how vulnerable they are or could be when looking at threats, assessing vulnerabilities, which controls to implement.
Cyber security in the supply chain is not solely a technological challenge; it involves issues with people, processes, and knowledge, as the NIST best practice guidance on supply chain security describes. Mandating ‘the right to audit’ and test the security controls of suppliers using your existing risk and audit processes are a great place to start, adherence to a security standard and or framework is useful best practice but adding monitoring requirements will build maturity into the process. The role of contracts in establishing security in the supply chain is key to reducing risk, with back-to-back provisions and standard security requirements clauses with the right to audit and obligations on reporting incidents. Ensure that incident reporting is timely, not only from a compliance and or legal obligation, but to sufficiently understand the detail to determine impact.
IBM's reports that over 50% of security breaches are linked to supply chain and third-party suppliers, incurring an average cost exceeding $4 million. If you are operating within a supply chain, you will often have security requirements imposed by your customers or third parties. It is critical that you impose similar conditions on your suppliers. Many standard contractual clauses impose a requirement to manage your suppliers, usually in a manner that is equivalent. It is prudent to have standard security clauses included in all contracts with suppliers by default. Ultimately, if you have not spelled out to suppliers what you want, you will not get it, and the chances of compensation are limited. Assessments of supplier security within your supply chain are essential. This allows you to identify potential areas of risk, establish maturity levels and support ‘risk triage’ activities. Ideally, such assessments should be made before contracts are agreed, this leaves open the option to ‘Terminate’ subject to supplier risk treatment. If you are playing ‘catch-up’ then it is a good way to understand the risk profile of existing supply chain arrangements.
The SolarWinds supply chain attack triggered a widespread assessment of global supply chain risk management endeavours, sparking a series of advice and guidance from government. The implementation of Zero Trust can enhance a supply chain security by eliminating the automatic trust in device and employee security. Continuous validation helps to prevent attackers from easily infiltrating systems. With the need to bypass sophisticated verification and authorisation tools, the likelihood of unauthorised access can be reduced. A Zero Trust Architecture provides a way to boost resilience against third-party security risks in the supply chain, without giving up the operational benefits of vendor or supplier relationships.
Zero trust comprises concepts and ideas aimed at reducing uncertainty in ensuring precise, least privilege access decisions for each request in information systems and services, even when the network is considered compromised. According to the US government agency CISA (Cybersecurity and Infrastructure Security Agency), it’s an ongoing journey rather than a destination that requires continuous refinement. The objective is to thwart unauthorised access to data and services and enhance access control enforcement with maximum granularity. Many businesses rely on outdated strategies and technologies that were not designed to support or incorporate Zero Trust principles, which are now essential.
“From industrial control systems to cloud computing to generative AI, the world of pervasive technology has outraced legacy security models. Zero Trust ‘never trust, always verify’ principles are clearly the path forward.” Outlines Jim Reavis, CEO and co-founder, Cloud Security Alliance.
Some of the main challenges in embracing Zero Trust were a lack of understanding about the framework and a lack of support from senior management. Many technical vendors unwittingly add to this lack of confidence in better understanding Zero Trust, Zscaler’s CEO, Jay Chaudhry, commented this year that “Network security firms have ‘hijacked’ zero trust”. Whilst analysts state that over 50% of organisations will fail to realise the benefits of Zero Trust due to a lack of skilled and knowledgeable professionals. Therefore its critical for businesses to invest time in educating their teams and customers about the implementation of Zero-Trust and gain the appropriate Zero Trust skills.
As Zero Trust emerges as the future of information security—with Gartner predicting that 60% of organizations will adopt it by 2025—a Zero Trust approach will become essential. This will be a necessary skill for various security professionals, including security engineers, architects, C-suite executives, decision-makers responsible for establishing a Zero Trust governance and risk posture, and compliance managers.
Without adopting a zero-trust architecture, organisations face increased vulnerability to data breaches and cyber-attacks. Consequences may include greater financial losses, damage to reputation, legal liabilities, exposure of confidential information, challenges in managing a distributed workforce, and more.
National Security updates
Sign-up to get the latest updates and opportunities from our National Security programme.