Understand threats and risks from your supply chain
Your supply chain may contain several potential threats, such as:
- Unsecure systems;
- An employee with malicious intent;
- Personal gain through malicious behavior.
Failing to communicate your security requirements can lead to inappropriate actions from suppliers. You could be faced with the following risks:
- Injury to personnel or customers;
- Data loss;
- Violations of privacy;
- Theft of intellectual property;
- Disrupted services;
- Financial losses;
- Reputational damage.
Analyze Potential Threats
Consider various threat scenarios and the corresponding risks in supply chain relationships. Examples are provided for reference.
A contractor exploits their access to your premises
A maintenance contractor with after-hours access steals and sells your computers, containing intellectual property belonging to several companies you work with, in order to pay off debts.
A supplier to one of your direct suppliers is hacked
In 2017, an Australian defence contractor's systems were hacked, resulting in the theft of confidential information on the build and design of new fighter jets, navy vessels, and surveillance aircraft. The contractor, a 4th-level supplier, had failed to implement and maintain security measures appropriate to the nature of their work.
A direct supplier fails to disclose details of its third-party suppliers
You seek system support from your direct supplier, only to find that it is being provided by overseas-based third-parties. This makes your sensitive information and/or intellectual property more susceptible to theft or compromise.
A direct supplier fails to carry out due diligence on its own supply chain
Your direct supplier is unwilling to take responsibility for a password weakness vulnerability that has been detected in your system. This vulnerability was created by one of its third-party suppliers or contractors, leaving your system in a vulnerable state while you seek resolution from the direct supplier, potentially making remediation slower and more expensive.
Your IT provider is caught up in a global cyber intrusion campaign
A global campaign has targeted service providers managing IT and cloud providers storing information, resulting in the compromise and sale of sensitive information and valuable intellectual property from several government agencies and private companies.
A contractor working for a supplier steals information
A security guard contracted to a supplier steals documents containing national security information and attempts to sell them to a foreign intelligence service.
New IT equipment is found to be vulnerable
An interruption to your supply chain requires the use of alternate IT equipment. This equipment, sourced from a new supplier, has a deliberate vulnerability that has been introduced in the factory and is later exploited by a state actor.
Your people procure IT without authorisation
A team starts using a new cloud-based service to co-design a new product without procuring it through a process or engaging with your IT security people. This 'shadow IT procurement' exposes your intellectual property.
A third party exploits their access to your information
You purchase an information technology solution in a software-as-a-service (SaaS) arrangement, unaware that it is hosted offshore by a third party. Staff from the offshore provider take advantage of their authorised access to your systems, stealing your intellectual property and your clients' personal information.
You fail to adequately brief a supplier on your security needs
You engage an external supplier to help with launching a new product, but fail to communicate your security needs, including the sensitivity of the information they have access to. As a result, the supplier shares your information more widely than desired, weakening the impact of your product launch.