Supplier Due Diligence: An Introductory Guide

In today’s digital age, organisations are more interconnected than ever, relying heavily on suppliers and third-party vendors to provide essential services and products. While this interconnectedness is great for operational efficiency, it also introduces significant cybersecurity risks. Undertaking appropriate due diligence on suppliers helps mitigate these risks and protect the organisation’s data.

In this comprehensive guide, we will explore what you should consider when conducting supplier due diligence.

Understanding Supply Chain Risks

Before looking at how to undertake Due Diligence on Suppliers, it is useful to understand the types of risk a supplier can introduce.

Vulnerabilities:
Software vendors may have vulnerabilities in their products that provide an entry point into your organisation’s network. At best, if the vendor provides fixed versions of the software quickly, your IT team will be kept busy installing them; at worst, the company goes out of business or abandons the product, leaving a ticking time bomb inside your network.
Excessive access and inadequate security practices:
For any supplier with access to your network, your company security may be weakened to that of the weakest supplier. While MSPs and IT support companies will naturally have widespread administrator access to your systems, other suppliers may have more access than you may think. Maybe your IT team once set up remote access for a vendor to install some bespoke software that now means they can hop on to the server whenever they choose, or the HVAC maintenance company embeds a remote access VPN so they can monitor the system performance while also inadvertently gaining access to the rest of your network as well.
Poor data safeguarding:
Once data has left your company networks and systems and is being stored and processed by supplier systems it is outside the security controls you have in place. Will they be as robust in securing and protecting your data as you would be?
Malicious Actors:
If you’re developing software in-house, it is highly likely you’ll be using open-source software extensively. Exactly who is writing the software you depend upon and what their motives are is likely to be completely unknown. You may accidentally pick up a package or library that includes malicious code – potentially stealing access keys or using CPU to mine Crypto Currency.

Which of these risks is relevant will vary immensely based on the nature of the services being provided by the supplier. Map your supply chain to understand the relationships and dependencies between suppliers and the services they provide. Assess the criticality of each supplier’s role in your operations to prioritise security efforts and focus on those that introduce the most risk.

Establishing Control Measures

Once risks are identified, control measures to mitigate them must be established. Firstly, integrating cybersecurity considerations into procurement processes ensures that risks from new suppliers are considered and addressed. Auditing suppliers or obtaining evidence of independent external audits can provide confidence security is being considered and taken seriously, and contractual clauses can place an obligation on the supplier to meet specific requirements.

Procurement Processes:
Integrate cybersecurity considerations into your procurement processes to ensure new suppliers meet security criteria and the risks introduced by new suppliers are understood.
Contractual Obligations:
Include specific cybersecurity requirements in supplier contracts to ensure adherence to security standards.
Regular Audits and Assessments:
Either perform in-house audits, or obtain evidence of external independent audits and penetration tests as appropriate for the risks.

What to Check?

Any assurance has to be appropriate for the type of data the supplier may have access to and the risk that may pose. However, here is a list of things to consider when assessing suppliers.

1. Security Policies and Practices

Existence of Security Policies:
Ensure that the supplier has documented security policies and procedures that align with industry standards and best practices.
Compliance with Standards:
Check if the supplier complies with relevant cybersecurity standards such as ISO/IEC 27001, NIST Cybersecurity Framework, or SOC 2.
Data Protection Measures:
Assess how the supplier protects sensitive data, including encryption methods, access controls, and data handling procedures.

2. Risk Management and Incident Response

Risk Management Framework:
Verify that the supplier has a risk management framework to identify, assess, and mitigate cybersecurity risks.
Incident Response Plan:
Ensure the supplier has a robust incident response plan in place and regularly tests it through drills or simulations.
Past Incident History:
Review the supplier’s history of cybersecurity incidents and how they were managed.

3. Third-Party and Subcontractor Management

Subcontractor Policies:
Check if the supplier extends its cybersecurity policies and standards to subcontractors and third parties.
Third-Party Audits:
Verify if the supplier conducts regular audits and assessments of its third-party relationships.

4. Access Controls and Identity Management

Access Control Policies:
Assess the supplier’s policies for managing and controlling access to their systems and data.
Multi-Factor Authentication (MFA):
Ensure the use of MFA for access to critical systems and data.
Least Privilege Principle:
Verify that the supplier follows the principle of least privilege, granting access only to the necessary individuals.

5. Secure Development Practices

Software Development Lifecycle (SDLC):
Ensure the supplier follows a secure SDLC, incorporating security at each stage of development.
Code Review and Testing:
Check for regular code reviews, vulnerability assessments, and penetration testing.
Software Bill of Materials (SBOM):
Request an SBOM to understand the components and dependencies within the software.

6. Physical and Environmental Security

Physical Security Controls:
Evaluate the physical security measures at the supplier’s facilities, including access controls, surveillance, and secure areas.
Environmental Controls:
Check for measures to protect against environmental threats such as fire, flood, and power outages.

7. Employee Training and Awareness

Cybersecurity Training Programs:
Verify that the supplier provides regular cybersecurity training and awareness programs for employees.
Phishing and Social Engineering Training:
Ensure employees are trained to recognize and respond to phishing and social engineering attacks.

8. Legal and Regulatory Compliance

Regulatory Requirements:
Confirm that the supplier complies with all relevant legal and regulatory requirements related to cybersecurity and data protection (e.g., GDPR, CCPA).
Contractual Obligations:
Ensure that the supplier’s contracts include clear cybersecurity requirements and obligations.

9. Continuous Monitoring and Improvement

Security Monitoring:
Check if the supplier uses continuous monitoring tools and techniques to detect and respond to cybersecurity threats.
Continuous Improvement:
Verify that the supplier has processes for continuously improving their cybersecurity posture based on new threats and vulnerabilities.

Conclusion

Effective supplier due diligence protects your organisation from supply chain risks. By understanding risks, establishing robust control measures, continuously checking arrangements, and striving for continuous improvement, you can enhance your cybersecurity resilience. Leveraging resources and guidance from authoritative bodies like the NCSC and CISA can provide valuable insights and best practices to fortify your supply chain security.

For more detailed guidance, consider reviewing the resources provided by the NCSC and CISA on supply chain security principles and practices, or Book a Call with one of our Cyber Security specialists.

Real-World Examples

Example 1: Target’s Data Breach

One of the most notable examples of supply chain risk is the Target data breach in 2013. Attackers gained access to Target’s network through a third-party HVAC vendor, resulting in the theft of credit card information from over 40 million customers. This incident underscores the importance of vetting the security practices of all suppliers, regardless of their perceived criticality to the core business operations.

Lessons Learned:

Third-Party Access: Limit third-party access to only what is necessary and monitor their activities closely.
Regular Assessments: Conduct regular security assessments of all third-party vendors to ensure compliance with security standards.
Incident Response Plans: Have robust incident response plans in place that include scenarios involving third-party breaches.

Example 2: SolarWinds Supply Chain Attack

In 2020, the SolarWinds supply chain attack affected numerous organisations, including several U.S. government agencies. Attackers compromised the software update mechanism of SolarWinds’ Orion platform, distributing malicious updates to customers. This sophisticated attack highlighted the vulnerabilities within software supply chains and the need for stringent security measures.

Lessons Learned:

Software Integrity: Ensure the integrity of software updates through digital signatures and verification processes.
Monitoring and Detection: Implement advanced monitoring and detection systems to identify unusual activities related to software updates.
Vendor Risk Management: Incorporate vendor risk management practices that include evaluating the security posture of software providers.

Additional Resources:

To further enhance your understanding and implementation of supplier due diligence in cybersecurity, the following resources provide detailed guidelines and best practices:

anthony.green

A CREST Practitioner and a recognised thought leader in cybersecurity, Anthony has designed and implemented some of the most secure systems in the UK. Working with the largest global corporations, advising Government on security best practice as well as small and medium businesses throughout the South East.

Latest

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_228506841_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.

DEFEND

ASSURE

VERIFY

EXPERT SERVICES