Understand the threats and risks from your supply chain

The threats from your supply chain come in many forms. For example, a supplier may:

• fail to adequately secure their systems
• have a malicious insider working for them
• carry out malicious acts for their own gain.

Or, you may fail to clearly communicate your security requirements, so a supplier does the wrong things.

You could be exposed to a combination of the following risks:

• harm to your people or customers
• loss of data
• privacy breaches
• loss of intellectual property
• disrupted services
• financial risks
• reputational risks.

Consider a range of threat scenarios

The following examples illustrate potential supply chain relationships and risks.

A contractor exploits their access to your premises

A maintenance contractor with after-hours access steals and sells your computers to pay off debts. The computers contain intellectual property belonging to several companies you work with.

A supplier to one of your direct suppliers is hacked

A supplier to the original party you contracted with has their ICT systems hacked. (In 2017, this happened to an Australian defence contractor. The hacker stole highly sensitive commercial information on the build and design of new fighter jets, navy vessels, and surveillance aircraft. The contractor — a 4th level supplier — had failed to implement and maintain security measures appropriate to the nature of the work.)

A direct supplier fails to disclose details of its third-party suppliers

You seek system support from your direct supplier only to find that the support is being provided through overseas based third-parties. The accessibility of your sensitive information and/or intellectual property from outside the country makes it more susceptible to theft or compromise.

A direct supplier fails to carry out due diligence on its own supply chain

Your direct supplier is unwilling to take responsibility for a password weakness vulnerability that has been detected in your system. The vulnerability has been created by one of its third-party suppliers or contractors. Your system remains in a vulnerable state while you seek satisfaction from the direct supplier and may make remediation of the vulnerability slower and more expensive.

Your IT provider is caught up in a global cyber intrusion campaign

A widespread campaign targets service providers who manage IT and cloud providers who store information. You are one of several government agencies and private companies whose sensitive information and valuable intellectual property is compromised and sold on to other parties.

A contractor working for a supplier steals information

A security guard contracted to a supplier, steals documents containing national security information. They attempt to sell the documents to a foreign intelligence service.

New IT equipment is found to be vulnerable

An interruption to your supply chain means that an alternate IT equipment provider is quickly needed.  The equipment from the new supplier contains a deliberate vulnerability that has been introduced in the factory.  This vulnerability is later exploited by a state actor.

Your people procure IT without authorisation

A team starts using a new cloud-based service to co-design a new product without going through a procurement process or engaging with your IT security people. Your intellectual property is exposed through this ‘shadow IT procurement’.

A third party exploits their access to your information

You purchase an information technology solution in a software-as-a-service (SaaS) arrangement. You are unaware that it is hosted offshore by a third party. Staff from the offshore provider use their authorised access to the systems storing and processing your information to steal your intellectual property and your clients’ personal information.

You fail to adequately brief a supplier on your security needs

You engage an external supplier to help with launching a new product. However, you don’t communicate your security needs adequately, especially the sensitivity of the information they have access to. The supplier shares your information more widely than you would like and reduces the impact of your product launch.

More information

• Supply chain security collection (CPNI — UK Centre for the Protection of National Infrastructure)
• New Zealand Information Security Manual (NZISM) — Supply chain
• Office of the Auditor-General — Procurement Guidance for Public Entities

Page last modified: 4/05/2022