Cyber supply chain security for small and medium-sized organizations (ITSAP.00.070)

A supply chain is a network of companies and individuals involved in the production of a product or service. It includes the critical links between your organization and others that help you serve your customers. Whether you own a flower shop or an advertising agency, the quality and security of your supply chain is a key factor in the success of your organization.

Supply chains increasingly feature the bidirectional movement of digital information in addition to the movement of products, services, and currency. Cyber threats propagate through digital information transfer, meaning supply chains provide an extended attack surface against Canadian organizations and an alternative for cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. actors to direct action against an organization’s networks.

As an organization owner, have you ever thought about the kind of information you share across your supply chain? Do you know how your suppliers handle and store your information? It is important to ask these and other questions to keep your organization secure. Cyber attacks are not only costly to address but can put your organization and its reputation at risk.

On this page

• Risks to your supply chain
• Verifying your supply chain for weak links
• Evaluating your supply chain
• Addressing IT security concerns
• Creating supply chain security processes
• Learn more

Risks to your supply chain

You may not think that your small or medium-sized organization is a target for threat actors, but it could be. All organization, no matter the size, hold information that makes them attractive targets to cyber threat actors. Small and medium-sized organizations may also use outdated software or hardware that requires replacement or updates and is vulnerable to threat actors looking for soft targets.

Threat actors may target your supply chain, especially if your organization:

• collects personal information from clients, such as
  • names
  • addresses
  • phone numbers
  • email addresses
  • birthdays
• possesses trade secrets or other intellectual property
• has competitors interested in learning the identity of your clients
• uses point-of-sale systems for payment information that hold credit card and client information
• connects to other databases or systems of interest to a threat actor via your supply chain
• is responsible for critical infrastructure systems that may be targeted by state-sponsored attackers

Remember, even if your organization has top-notch security, a vulnerable partner in your supply chain is a risk to everyone in the chain.

Verifying your supply chain for weak links

A chain is only as strong as its weakest link. You should verify the risk of supply chain compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. and the trustworthiness of the products and services you buy, download, or access for free. When you take the time to understand and secure your supply chain, you reduce the possibility of sensitive information falling into the hands of threat actors. Your customers will also feel more comfortable engaging with your organization knowing that you have taken steps to secure their information.

Evaluating your supply chain

The first step in securing any supply chain is to know your vendors who have access to your data and support your critical business functions. You can’t look at all vendors with the same approach. Knowing your vendors will assist you in examining your supply chain for weaknesses. You may find vulnerabilities in your information technology (IT) and operational technology (OT) equipment and devices. You may also find vulnerabilities in other aspects of your supply chain, such as access controls to physical premises or systems, transportation or product sourcing.

You should create an inventory of all third parties that interact with your organization, including vendors, contractors and service providers. We also recommend you categorize or classify third parties based on their criticality to your organization’s operations. For example, a critical supplier who provides essential components would have a higher impact than a non-critical service provider.

When evaluating your supply chain, start with the following considerations:

• Evaluate the kind of information you share with your suppliers and contractors
• Understand what needs to be protected, such as organizational assets and sensitive information
• Be aware of the types of cyber threats your company could face and develop security controls around your specific threat environment
• Know that tampering can occur or unauthorized replacement parts can be installed when
  • electronic equipment is serviced or repaired, or
  • new equipment is shipped or received
• Understand that malicious activity, including covert installation of unauthorized software, can occur when software is installed, updated or uninstalled
• Beware of counterfeit goods sold by unofficial resellers and always buy hardware and software from vendors approved by the manufacturer
• Ensure only trusted personnel, including contract personnel, have access to sensitive data like company secrets, financial information and personal information
• Request and assess the security plan of a supplier’s facility if you intend to store sensitive information or devices offsite

Addressing IT security concerns

You should work with your IT service providers and vendors to address supply chain concerns. These providers can be the company hosting your online store, the IT service team that maintains your equipment, or the company that sells you IT equipment. Your supply chain includes all software and digital services you use. This includes platforms such as free open-source software, mobile applications (apps), and spreadsheet templates.

Here are some sample questions you can ask these providers:

• How do you protect customer data?
• How do you encrypt data?
• Where do you store customer information, in the cloud, onsite, on a PC?
• What ongoing connections do you maintain to our organization’s hardware and software?
• How long do you retain information and how do you destroy it?
• Do you share information with third-party contractors?
• How do you secure your network and devices against attacks?
• How do you ensure software is up to date and how do you address known vulnerabilities?
• What is your disaster recovery strategy?
• Do you follow regulations for the data you process, and do you have the proper certifications?
• How quickly do you release security patches and updates after discovering vulnerabilities?
• Will you inform me if there has been a cyber event? If so, how quickly?

Creating supply chain security processes

Your organization should create clear processes to help prevent security issues stemming from your supply chain. These should include:

• setting minimum security requirements for your suppliers
• prioritizing security considerations when choosing between 2 solutions of similar cost and function
• adding clauses to address basic supply chain risks when contracting for products and services that may affect your infrastructure or data
• including stipulations in contracts that vendors notify your organization within a specified time frame in the event of security incidents and vulnerabilities
• building assurance activities like internal audits and risk assessments into your supply chain management strategy
• reviewing your supply chain security as your organization changes
• re-evaluating contractors and suppliers regularly to ensure they still meet your security requirements
• considering place of origin and the implications of foreign ownership in your procurement
• maintaining open lines of communication with suppliers
• promoting awareness and continuous improvement of your supply chain security
• being aware of the latest and most common cyber attacks and preparing a response plan that includes tabletop exercises
• regularly rescreening and retraining your employees on cyber security supply chain essentials
• ensuring your systems stay up to date with the latest security patches to protect from cyber attacks and security threats
• using third-party assessments to assess critical suppliers
• creating plans to manage supplied product obsolescence

Learn more

• Cyber supply chain: An approach to assessing risk (ITSAP.10.070)
• Protecting high-value information: Tips for small and medium organizations (ITSAP.40.001)
• Top measures to enhance cyber security for small and medium organizations (ITSAP.10.035)
• Foundational cyber security actions for small organizations (ITSAP.10.300)
• Protecting your organization from software supply chain threats (ITSM.10.071)
• The cyber threat from supply chains