search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
10


SPECIAL REPORT: CYBERSECURITY


In 62% of the cases, malware was the attack technique employed.


‘As the cost of direct attacks against well-protected organisations increases, attackers prefer to attack their supply chain, which provides the additional motivation of a potentially large-scale and cross-border impact.’


ENISA offers a number of recommendations for customers to manage supply chain cybersecurity risks and their supplier relationships:


Recommendations to manage cyber risk


To manage supply chain cybersecurity risk, the study recommends customers should:


• identify and document types of suppliers and service providers


• define risk criteria for different types of suppliers and services, such as important supplier and customer dependencies, critical software dependencies, single points of failure


• assess supply chain risks according to their own business continuity impact assessments and requirements


• define measures for risk treatment based on good practices


• monitor supply chain risks and threats, based on internal and external sources of information and on findings from suppliers’ performance monitoring and reviews


• make their personnel aware of the risk.


Additionally, to manage their relationships with suppliers, ENISA highlights measures customers should adopt aimed at preventing cyberattacks, including:


• manage suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components


• classify assets and information that are shared with - or accessible to - suppliers, and define relevant procedures for their access and handling


• define obligations of suppliers for the protection of the organisation’s assets, for the sharing of information, for audit rights, for business continuity, for personnel screening, and for the handling of incidents in terms of responsibilities, notification obligations and procedures


• define security requirements for the products and services acquired


• include all these obligations and requirements in contracts; agree on rules for sub-contracting and potential cascading requirements


• monitor service performance and perform routine security audits to verify adherence to cybersecurity requirements in agreements; this includes the handling of incidents, vulnerabilities, patches, security requirements, etc.


• receive assurance of suppliers and service providers that no hidden features or backdoors are knowingly included


• ensure regulatory and legal requirements are considered


• define processes to manage changes in supplier agreements, e.g. changes in tools, technologies, etc.


Moreover, as any product or service is built from or based on components and software that is subject to vulnerabilities, suppliers should implement good practices for vulnerability management, such as:


• ensure that the infrastructure used to design, develop, manufacture, and deliver products, components and services follows cybersecurity practices


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26