Supply chain risk as long been recognised as a business risk. Organisations never operate fully independently and rely on the services provided by many companies. In today’s highly connected business environment it is essential that organisations recognise the cyber security and data protection risks of their supply chain.
A firm’s supply chain can be thought of in a number of ways: direct suppliers, partners, subsidiaries and fourth parties (firms that provide services to your suppliers). Each one will require assessment and controls put in place.
The threat posed by the supply chain is now the third largest cyber risk to an organisation; just behind that of email phishing and IT system vulnerability exploitation.
Supply chain attacks have become commonplace. One example is the attack on Target stores in the USA in 2014. Here a criminal attacked the company that maintained the air conditioning in Target stores. Once these industrial control systems were compromised the attackers gained access to the primary network, including access to the check-out tills. Recently we saw an attack on British Airways. This attack made use of a compromised third-party application that was being used on the BA website and mobile app.
There a number of potential risks to be considered:
Often cyber criminals will attempt to exploit the data held by suppliers rather than directly attack a particular target. For example, accountants and other professionals will often store and process data about the financial and other essential information for their clients. An example being the information held by an accountant during a merger or acquisition could be of use to a competitor. Poor risk management of the supply chain could expose this valuable data.
How to manage supply chain risk?
Risk assessment is at the heart of all risk mitigation. When assessing a supplier is essential to understand your own ways of working and use of data. Once this is understood it is then possible to plan your due diligence of a supplier accordingly. In this case, GDPR can help us. GDPR requires organisations to understand the data they keep, how they use it and how they protect it. This documented assessment can help an organisation assess its cyber security requirements and in turn inform its due diligence of a potential supplier.
It is becoming increasingly common for organisations to see evidence of supplier’s approach to cyber security. For example, do they have a CISO or DPO in place? What security standards do they adhere to? Are staff being training in cyber security awareness? Do they have written policies for staff?
Once the assessment has been completed and a supplier selected it is necessary to ensure the appropriate controls are in place. If possible then this should be specified in the contracts with suppliers. One example would ensure that a company is informed if the supplier makes changes to its own supply chain.
It is essential to remain vigilant to the ever-changing threat landscape and how this may affect you and your suppliers. This is never easy, but making use of resources like NCSC CiSP can really help.
Finally, it is worth considering how you may release one supplier and move to another. We are all aware of the need to secure assurances and documentation that a supplier no longer has any of your data. A good example being the delivery of a data destruction certificate when a contract ends. Access to your systems and data also needs to be actively managed. Has a supplier installed any remote access or management tools? Another example could be; what information does a supplier have about your operational procedures that could later be used by an attacker? For example, knowing that an organisation always creates new accounts with the same default password. Potentially this form of ‘insider threat’ could be used to regain access to your systems.
No organisation has unlimited resources. Understanding what your key data assets are and how they are used will help you prioritise your assessment and management of your supply chain.
As with GDPR continuous assessment and management of the key risks is essential to remaining secure and operationally resilient.