The Information Commissioner’s Office (ICO) has published a review on cyber security, which includes a section on supply chain effects that can be accessed here.
The ICO emphasises that third parties are processing sensitive information for other organisations more than before, which means that organisations are unable to only rely on their internal cyber security controls.
In the 2022 Marsh and Microsoft Cyber Risk Survey, it was found that only 43% of the surveyed organisations had carried out a risk assessment of their supply chain. In their report on the survey, ‘’The state of cyber resilience’ (the Report), one of the key trends that Marsh and Microsoft found is that firms do take cybersecurity actions but widely overlook their vendor and digital supply chains. The Report can be accessed here.
Supply chain attacks
A supply chain attack occurs where an attacker infiltrates an organisation via comprising or breaching technologies, services, or products which the organisation receives from its third party suppliers.
The ICO noted three different types of supply chain attacks in its review:
- software supply chain attacks: malicious code is inserted by attackers into a product or system, which can lead to information theft or fraud or allows the attacker to access corporate systems remotely
- digital supply chain attacks: attackers insert malicious code into libraries, and a software developer incorporates that library into their product, making that product vulnerable
- hardware supply chain attacks: supply of hardware which includes certain components, where the attacker can then get access to the corporate infostructure or search/extract information
Reducing the risk of supply chain attacks
The ICO has set out some ways organisations can reduce the risk of supply chain attacks, these include:
- having a supply chain risk management programme and process for managing, monitoring, and reviewing systems, access, and process in their supply chain
- reviewing supplier contracts to understand what responsibilities each party has
- conducting due diligence on a supplier before using their services
- before sharing any information, the organisation should have assurances from the processors, and they should also have security and service level agreements which are documented
Given the wide use of third party suppliers by organisations, this review by the ICO provides some useful ideas as to how organisations can seek to lower the risk of supply chain attacks. It is important to note that the review by the ICO is not intended to be guidance but is useful for those who are in charge of their organisation’s information security and/or data protection.