High-profile cyber incidents reinforce cyber risks in supply chains.
The New Zealand Government Communications Security Bureau’s National Cyber Security Centre (NCSC) has developed resources to help business leaders and cyber security professionals better understand and manage the cyber security risks in supply chains.
NCSC Director Lisa Fong said the recent spate of high-profile cyber security incidents reinforces the importance of managing cyber security across the supply chain.
“Supply chain vulnerabilities are amongst the most significant cyber threats facing organisations today,” she said. “Major incidents like last year’s global distributed denial of service (DDoS) campaign which significantly impacted a range of New Zealand organisations, and the compromise of file transfer software used by the Reserve Bank, reinforce the critical importance of supply chain cyber security.”
The NCSC’s newly released resource Supply Chain Cyber Security: In Safe Hands is the third release in a guidance series based on analysis of 250 New Zealand organisations’ cyber security resilience. Previous releases focused on improving incident management and cyber security governance.
Fong believes cyber security threats target organisation’s most vulnerable points.
“As organisations strengthen their own cyber security, their exposure to cyber threats in their supply chain increasingly becomes their weakest point,” she noted. “Digital interaction with supply chain elements can occur across many aspects of an organisation’s operation, not just IT or procurement teams. For example, a marketing department might use a third-party service to store customer information in database in the cloud.
The guidance outlines three key phases in establishing an effective capability to manage supply chain cyber risk and improve organisational cyber resilience:
“Identify who your critical suppliers are and understand which of your key assets and services are most vulnerable to threats in your supply chain,” explained Fong.
“Assess vulnerabilities in your supply chain and allocate resources to increase the cyber security resilience of critical areas.
“Manage supply chain risk through a program of monitoring, cyber security performance assessment, and integration of supply chain risk into organisational risk management frameworks.
The guidance was designed for both government and non-government organisations of varying sizes and capabilities and provides an introduction to understanding and managing supply chain cyber risk, said Fong.
“We hope organisations will use this as a resource to support the conversation between practitioners and leaderships to better identify and manage supply chain cyber security risk,” she said.