The SolarWinds attack in 2020, the Kaseya attack in 2021, the MOVEit vulnerability in 2023, and countless smaller incidents have revealed a pattern: attackers increasingly target the weakest link in the chain. An organization can have excellent security itself, but if a supplier is compromised, the damage can still be significant.
This realization has reached the legislator. The NIS2 Directive lists supply chain security as one of the mandatory measures. ISO 27001:2022 has strengthened supply chain security in its controls. And the EU AI Act sets requirements across the entire AI system value chain. Supply chain security is no longer a nice-to-have; it is a legal obligation.
The supply chain threat landscape
Supply chain attacks are effective because they exploit the trust organizations place in their suppliers. There are three main types. In a software supply chain attack, the attacker compromises a software vendor used by many organizations. Via an update or patch, malware is distributed to all of that vendor's customers. SolarWinds is the most well-known example.
In a service provider attack, the attacker targets a managed service provider (MSP) or IT vendor that has access to its customers' systems. Through the provider, the attacker gains access to multiple organizations simultaneously. The Kaseya attack worked this way.
In a data supply chain attack, the attacker exploits a file exchange platform or another service through which organizations share data. The MOVEit vulnerability is the prime example.
A framework for supply chain security
An effective supply chain security program consists of four pillars. The first is vendor inventory and classification. You cannot secure what you do not know. Start with a complete overview of all vendors that have access to your systems, process data on your behalf, or supply software you deploy in your environment. Classify each vendor based on the risk a compromise at that vendor would pose to your organization.
The second pillar is due diligence during selection. Before contracting a vendor, assess their security level. This can be through questionnaires, reviewing their certifications (ISO 27001, SOC 2), reviewing their penetration test reports, or a combination of these methods.
The third pillar is contractual assurance. Security requirements must be contractually established. This includes minimum security standards, audit rights, incident notification obligations, requirements for sub-processors, and exit provisions.
The fourth pillar is ongoing monitoring. A one-time assessment at contracting is insufficient. Vendors must be periodically reassessed through annual questionnaires, requesting current certificates and audit reports, monitoring security ratings, and evaluating incidents.
Common shortcomings we find when auditing supply chain security include an incomplete vendor registry (shadow IT procured by business units), absence of security clauses in existing contracts, and lack of periodic reassessment after initial selection.
Secure Audit helps organizations establish and audit their supply chain security program. From vendor inventory and risk analysis to contract review and periodic assessments. Contact us for a supply chain security assessment.
About the author
Partner | IT Auditor