The Government Communications Security Bureau’s National Cyber Security Centre (NCSC) has released guidance to help executives and cyber security professionals manage ICT supply chain security risks.
NCSC director Lisa Fong said a recent spate of high-profile cyber security incidents reinforced the importance of managing cyber security across the supply chain.
“Supply chain vulnerabilities are amongst the most significant cyber threats facing organisations today," Fong said.
“Major incidents like last year’s global distributed denial of service (DDoS) campaign which significantly impacted a range of New Zealand organisations, and the compromise of file transfer software used by the Reserve Bank, reinforce the critical importance of supply chain cyber security,” she said.
The Reserve Bank of New Zealand lost confidential data as the result to a global attack on a legacy version of Accellion's file sharing software over the Christmas period. A KPMG report on the incident is expected imminently.
The NCSC’s new resource, "Supply Chain Cyber Security: In Safe Hands", is the third release in a guidance series based on analysis of 250 New Zealand organisations’ cyber security resilience.
Previous releases focused on improving incident management and cyber security governance.
Fong said cyber security threats target organisations’ most vulnerable points.
“As organisations strengthen their own cyber security, their exposure to cyber threats in the supply chain increasingly becomes their weakest point.
“Digital interaction with supply chain elements can occur across many aspects of an organisation’s operation, not just the IT or procurement teams.
"For example, a marketing department might use a third-party service to store a customer information database in the cloud."
The guidance outlines three phases in establishing an effective capability to manage supply chain cyber risk and improve organisational cyber resilience: identify, assess and manage.
The first, is to identify who critical suppliers are and understand which key assets and services are most vulnerable to threats in your supply chain.
Then assess vulnerabilities in the supply chain and allocate resources to increase the cyber security resilience of critical areas.
Finally, manage supply chain risk through a programme of monitoring, cyber security performance assessment, and integration of supply chain risk into organisational risk management frameworks.
The guidance, described as an introduction to the issue, is designed for both government and non-government organisations of varying sizes and capabilities.
“We hope organisations will use this as a resource to support the conversation between practitioners and leaderships to better identify and manage supply chain cyber security risk,” Fong said.