In an interview conducted by VMBlog with Kristin Demoranville (Global Practice Director of Cyber, Risk and Advisory of BSI), an analysis was conducted by BSI confirming a shocking 66% increase of ransomware attacks on the supply chain in the last three years.
Kristin explains that: “Attackers now have more resources and tools at their disposal. Also, a series of high-profile, very damaging attacks on organizations has demonstrated that attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is real and multiplying. Strong security protection is no longer enough for organizations when attackers have already shifted their attention to suppliers.” These type of attacks can trigger a chain reaction and lead to great reputational risk and financial loss.
This increased vulnerability has further been explained by Kristin as becoming more than just an IT or Security risk, due to the high impact and likelihood associated, this has now become a Business risk.
Reading this, Businesses with an underdeveloped Information Security Management System (ISMS) might be wondering how such vulnerability could apply to them and what to implement to avoid such highly possible risk?
To combat the threat, a Business first has to understand the vulnerability and its related risk. Supply Chain in this regard refers to all the service providers, vendors, contractors and other similar third parties relationships with your Business (e.g. forming part of your service delivery or product production processes etc.). Consequently, using such third parties there are daily transfer of confidential information as part of the day-to-day business.
Even though your Business might have implemented a mature ISMS, one of the greatest vulnerabilities here (i.r.o. information security), is the possibility that your third parties’ won’t all have similar mature systems (or even any type of ISMS related system) in place, leaving your confidential information being transferred wide-open to attacks/theft etc.
Recommendations on how to manage the risk:
There are many tips that any Information Risk Specialist can supply, but the easiest way to ensure that such risk is effectively managed and continuously measured and treated, is to implement and maintain an ISO 27001, as this Standard specifically includes robust and practical controls to deal with Supplier Data Security.
ISO 27001 is fast becoming a necessary implementation in most Businesses now due to the increase handling and processing of confidential data.
