Reducing the risk of supply chain attacks
What do Dymocks, Okta, Fred Hollows Foundation, Cancer Council and Canteen all have in common? Three words: Supply chain attacks.
An organisation's supply chain is its collection of partners that provide it with goods and services. Infiltrate a supply chain, and you can circumvent the common defences that organisations deploy that are meant to protect them and their customers. This means attackers can get easier, more trusted access to systems and the ability to exploit people, processes, and technology with very little effort.
Supply-chain attacks continue to occur because organisations necessarily have to put trust in their suppliers, yet have very limited visibility into their governance, systems and controls. Even suppliers with cybersecurity certifications like SOC2 or ISO27001 may have a single staff member miss a crucial step that leads to catastrophic results, like CloudNordic earlier this year, or Dymocks' supply-chain partner just a few weeks ago.
So, what can you do to reduce supply chain risk?
Maintain a register of suppliers and ensure you conduct periodic vendor security assessments to ensure they are still in compliance with your standards.
Make sure your contracts with your supply chain partners protect you, and provide clarity around the penalties and recompense that will apply in the event of a data breach.
Share minimal information with suppliers. Privacy legislation globally has already been adopting a "collect only what you need" approach. Make sure you share only what you need, as well. The less you share, the less you can lose.
Need help assessing your supply chain risk? Reach out for a chat! We are experts at discovering and mitigating risks.