Alex Williamson & Will Smith

Cyber Security Practice

  • Privacy
  • Cyber Security

25 Jan, 2021

Your Supply Chain – Why it Needs Protecting

Recent events have shown that the supply chain should be regarded as an integral part of every organisation’s security considerations.

In this three-part series of articles, we will explore why protecting the supply chain is important, the principles that underly effective protection of the supply chain and finally our approach to helping clients adopt the right due diligence on their suppliers and vendors.

In this first article we explore the reasons why the supply chain needs your consideration and focus.

Long gone are the days when a CISO’s sole concern was the security of their own enterprise’s assets. The increasing dependency on outsourcing and out-tasking has been an unmistakable global trend over the last 20 years.[1] Combined with ever-expanding data sharing requirements and often global reach of supply chains, reliance upon Third-Party assurance has increased exponentially.

Nowadays, the information security of an organisation must incorporate all Third-Party service providers - the extended enterprise needs to be considered. 

However, whilst supplier assurance has traditionally been undertaken by procurement and legal functions, often as single-point, pre-contract assessments, this is no longer a tenable position. Evolving supply chain threats have rendered ‘once and done’ reviews not only ineffectual, but a liability. Instead, they should be replaced with proactive, on-going monitoring and management, sooner rather than later. Where possible a sense of partnership should be developed, over a transactional ‘customer / supplier’ relationship.

Arguably all businesses are dependent, in some way, on suppliers to function. Given the frequent need for businesses to share, access and transport information from one to another, an organisation’s security is only as strong as its weakest link in the supply chain. There is a plethora of cyber risk that must be mitigated within an extended enterprise, ranging from poor practices by lower-tier suppliers to the pressing issue of Third-Party data storage and transportation.

It is perhaps unsurprising that, in 2019, IT professionals cited the unauthorised sharing of confidential data by Third Parties as their second biggest security worry with 41% declaring a Third-Party related incident in the previous 24 months.[2]

To grasp the crux of these concerns, it is important to understand the threats and risks most closely associated with the supply chain.

Why does the security of a supply chain prove so troublesome?

A supply chain is often a complex, interconnected and interdependent web of suppliers and vendors which requires careful, coordinated management to ensure the protection of information being shared with Third Parties.

Confusion over who retains responsibility of protective measures requires clear process design and close coordination between an organisation and its large, medium and small suppliers to mitigate the prospect of data loss or corruption. However, large enterprises so often fail to recognise that smaller suppliers either overlook or cannot afford the same level of data protection and security measures that reside within their own enterprise, amplifying the likelihood of cyber-attacks from within the supply chain.

The stats confirm this; in 2018 the prevalence of supply chain attacks rose by 78% as cyber criminals identified opportunities to target smaller organisations in order to access their larger clients’ information.[3] Arguably this prevalence has been made abundantly clear when the SolarWinds / Sunburst cyber-attack made international headlines in late 2020. Ultimately, the supply chain is viewed by cyber attackers as one of the easiest means of gaining access to the systems and data of organisations; in no small part due to only 15% of all businesses reviewing the cyber security standards presented by their suppliers in 2020.[4] It is perhaps unsurprising then, that supply chain attacks are rising.

Clearly, lessons are not being learned and we do not have to search far or wide to grasp that these issues affect even the most well-known brands.

Before SolarWinds one of the most widely publicised supply chain attacks was the Target data breach in 2014. A Third-Party endpoint was targeted via a phishing email and used to obtain login credentials of the employees of Target’s refrigeration contractor, Fazio Mechanical. The attackers then utilised a vulnerability in a web application portal and entered Target’s infrastructure before escalating privileges and hijacking the retailer’s servers. The attackers managed to obtain the information of 70 million customers. Years later, it is estimated that the breach cost Target $162 million, alongside irreparable damage to the brand.[5]

It is yet to be seen what the fall-out from the SolarWinds cyber-attack will be, it may be that the full repercussions are never known.

What lessons can be learned and what does best practice look like?

As cyber-attackers become more innovative, information security teams must become more diligent to stay ahead of the curve. Adopting the newest and most rigorous cyber technologies, educating staff and implementing effective processes will protect the internal composition of a business.

But, to protect the extended enterprise, more onus needs to be placed on better understanding the relationship with the supply chain, for sure improving vetting and due diligence of vendors and suppliers but also developing a trusted partnership

Call to action

Consequently, listed below are some foundational principles that should form the basis of any supply chain risk mitigation:

  • Mandate a set of security expectations and requirements in every RFP and contract with any future partner, at a minimum operating with the Cyber Essentials certification.[6] However, Third Parties may illustrate compliance to the NIST framework[7] and/or the 20 CIS controls,[8] which could then be used as a steppingstone to the more rigorous ISO27001 certification.[9] 
  • Complete thorough security due diligence on any supplier or vendor before beginning any partnership and, vitally, on an on-going basis via a minimum of annual reviews and vendor engagements. This should include a breakdown of what security tools the prospective partner uses and what security policies the business adheres to.
  • Alongside providing employees with comprehensive security training, your suppliers’ and vendors’ employees should be equally well informed, and their training standards aligned across the supply chain.
  • Ensure all information security teams/SOCs are aware of all data access points and what constitutes an anomalous or unauthorised entry. Establish a clear process between the businesses for what to do when an alert registers an unexpected entry attempt.
  • In addition to using multiple layers of protection and authentication for access to systems, servers and data, ensure wholesale awareness of a supplier’s sub-contracted services and where possible reserve the right to review/audit the Third Parties your suppliers are using.

Supply chain information security management is already a significant issue facing CISOs around the globe, yet, even after the events of late 2020, many businesses continue to drag their feet; failing to respond to and mitigate the associated risks. Traditional approaches to Third-Party due diligence are no longer an acceptable information security barometer. Failing to safeguard your business data within the supply chain, to protect your stakeholders, your employees and your customers constitutes a failure to uphold your fiduciary duties. Adapting and evolving your security capabilities will ensure you maintain the trust of your clients and protect not just your data, but also your reputation.

To discuss how Chaucer can support the security and management of your supply chain, please contact Chaucer's Cyber Security Practice Lead, Alex.Williamson@Chaucer.com

This article was co-authored by Alex Williamson, Cyber Security Practice Lead & Will Smith, Management Consultant, Chaucer


Further Reading

[1] https://www.statista.com/statistics/189788/global-outsourcing-market-size/

[2] https://www.tenable.com/ponemon-report/cyber-risk

[3] https://www.securityweek.com/supply-chain-attacks-nearly-doubled-2018-symantec

[4] https://www.gov.uk/government/publications/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020

[5] https://www.bankinfosecurity.com/target-breach-costs-162-million-a-7951

[6] https://www.ncsc.gov.uk/cyberessentials/overview

[7] https://www.nist.gov/cyberframework

[8] https://www.cisecurity.org/controls/cis-controls-list/

[9] https://www.iso.org/isoiec-27001-information-security.html


Alex Williamson & Will Smith

Cyber Security Practice

Momentum and Maturity

Maintaining the integrity of your company, customer and employee data is an operational, reputational, ethical, and ultimately financial imperative.

The losses of failed strategies are too substantial to put cyber security maturity into the ‘to do’ pile.

At Chaucer, we believe cyber security is an enabler not an obstacle to business; that information security and data protection should work with and for you.

Our transformation strategies are human-centred, realistic, supportive of your ambitions and ensure compliance. No matter how many markets you work in.

And taking your people on the journey – at every level of your business – is how we get the best results.

Our energy and commitment to shared learning, build the momentum for new ways of working and the cyber security maturity you need.

Event 08 Sep, 2020

Cyber Security

Data Protection & The Death Of The US Privacy Shield Panel Session

In association with the British American Business Council Of New England Chaucer present a panel session to discuss the death of the EU/US Privacy Shield.

16 Sep, 2020, 05:00pm – 06:00pm

Online

Report 07 Sep, 2020

Cyber Security

EU-US Privacy Shield And Brexit

07 Sep, 2020

Blog 04 Dec, 2019

Data Strategy, GDPR, Privacy

Data Protection And The Use Of A CRM

04 Dec, 2019