Pay attention to the supply chain

Imagine that the same IT service software is being used simultaneously by a law firm, a retail chain, and a construction company. Instead of attacking each organisation individually, it may be easier for a malicious actor to breach the software they all use – gaining access to each of their systems through a single point of entry. This is known as a supply chain attack.

Such attacks can disrupt system operations, corrupt data, and lead to leaks of sensitive information. They often result in both financial losses and reputational damage.

If you use software or hardware from another company (a third party), you must be aware that this also introduces supply chain security risks.

To reduce these risks, it is advisable to:

1. verify whether the service provider has undergone security audits, and whether these audits cover the topics relevant to your organisation;
2. sign a contract that specifies, for example, log management, network monitoring, access rights distribution, and network segmentation;
3. define specific security requirements for services and products and include them in the contract;
4. agree on designated contact persons and communication procedures in case of issues;
5. establish clear actions to be taken in the event of service disruptions or other security incidents;
6. regularly request system monitoring reports from the service provider.

Special attention should be given to supply chain risk management. This includes documenting service providers and identifying the risks associated with using third-party software or hardware. To reduce risks, it is worth consulting the risk management guidelines of the Estonian Information Security Standard (E-ITS), as well as its broader implementation.