In the first part of this blog we created a scenario of just how easy it is to cause a cyber security breach. ‘Brian’ was a contractor with access to the server room. In moments he’d been able to gain access and steal his client’s intellectual property – all without trace. There was a weak link in their supply chain cyber security which he’d found no trouble to exploit.
In Part 2 we introduce a 4 step supply chain cyber security process – and provide links to guidance on supply chain risks and methodologies for assessing an organisation’s security. We also discuss how far down the supply chain you need to manage.
In the first article we considered what supply chain cyber security is:
“It is about ensuring that critical information and business performance, relied upon by a company or organisation, is not compromised or disrupted by the companies supporting it.”
In practice this can be a real challenge – as our earlier scenario demonstrated. As was shown in the first blog, most businesses have outsourced some critical functions such as IT, HR or payroll to external service providers. All of these functions contain information that is important to a company and by giving control to an external body (like ‘Brian’ and his employer), the protection of that information, for which the organisation is responsible, has been given to someone else.
Does this matter? Yes, because:
- IT systems provide access to internal networks, storage systems, databases and devices that hold sensitive company and customer information;
- HR systems contain personal information about staff;
- Payroll and finance systems contain details of company finances, bank account details and staff personal information.
This information could be exposed to the wrong people, be adulterated or destroyed or IT systems could be made vulnerable to malware (i.e. ransomware) or hacking, causing disruption to your business and the inevitable costs and delays involved in putting things right.
Even ignoring apocalyptic scenarios like ransomware (which you don’t think is ever going to happen in your company!) you are legally liable for the security for personal information under the Data Protection Act so it needs to be protected – even if another company is actually ‘hands on’ with it.
So if you feel that ‘something’ should be done to manage your supply chain cyber security where can you start?
Supply Chain Cyber Security – a 4 step process
Here is a basic 4 step process that you could consider:
Step 1: Risk Management:
- Do you know what services you have outsourced? (This sounds bizarre but many companies don’t know exactly).
- For each contract do you know if it involves any sensitive information or functions that are critical to your business (like IT support)?
- For each such contract carry out a simple risk assessment of what happens to your business if the information is compromised, corrupted or destroyed or the critical function fails.
- If sub-contractors are involved, understand what information they will have and how they will store, process and access the data provided to them.
- Think of things like remote access security, BYOD usage and physical security.
- What assurances can the supplier provide that they are keeping the data secure?
- Establish if supplier assurances are within your risk appetite. If not, provide specific detailed security requirements and conduct your own assessment of how well they are implemented.
- Decide what you can realistically do to prevent security issues happening in the first place and to reduce the consequences if they do happen. (You can’t get rid of risk completely but at least you will know what it is).
Step 2: Put Cyber Security in contracts with suppliers:
- Be an intelligent customer and have security requirements in contracts. (Don’t be adversarial but specify clearly what you expect as part of the service).
- Have a supplier on-boarding process that includes a high level assessment of company security.
- For contracts involving personal data, define the roles of data controller and data processor.
- Include supplier contracts within the scope of any Cyber Insurance that may be in place. Incident management may need to widen the scope further than just your own company.
- Specify what is expected from all parties in the event of service failure.
Step 3: Incident management:
- Include supply chain incidents in your own incident management plan.
- Work with suppliers to confirm that they have an incident management plan and that it can align with yours. (Work with suppliers to get the right answer for both of you).
- Have a clear understanding of which organisation has what responsibility in the event of an incident.
Step 4: Assurance frameworks:
- Have a mechanism to assess the security of each supplier. Have maturity levels for continuous improvement.
- Understand what security is needed for the business and avoid ‘box ticking’.
- Use existing certifications such as ISO27001 or Cyber Essentials.
- Make security requirements clear and achievable.
- Work with suppliers where there are deficiencies.
Government and larger organisations are looking at ways to understand and manage supply chain risks and there a number of methodologies to both assess risks and to assess the maturity of supply chain companies.
Methodologies for assessing an organisation’s security include: the Information Assurance Maturity Model and the ISF Supply Chain Information Risk Assurance Process (SCIRAP).
There are tools for assessing supply chain risks and these include: Hadrian, NIST, CDCAT, Rizikon and Cyberwiser. The MoD proposes to deploy a tool based upon Hadrian that will assess and report on the maturity of all its suppliers.
How far down the supply chain do you need to manage?
The realistic answer is ‘it depends’, because it is a matter of how far down the supply chain the information you care about goes.
So how does all of this help? Well, considering the scenario in Part 1 of this blog of Brian the outsourced IT provider stealing proprietary information, what could have been done differently?
- The risk of outsourced IT could have been recognised and additional security controls put in place such as:
- No unescorted or out of hours access for contractors.
- Technical controls to prevent unauthorised USB devices on servers.
- Logging and audit mechanisms to detect unauthorised access and/or data download.
- Brian’s company could have been assessed to confirm that its personnel security measures were robust enough to avoid employing ‘Brians’.
- Brian’s company could have been made liable for his actions (if detected).
Supply chain cyber security is a very real issue for companies. If you are going to understand and manage the risks to information you care about this aspect must be included. As ever it is largely common sense – where is the information, what are the risks and what can you do about them?
If you need guidance on how to assess your supply chain risks Ascentor can help.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter.
If you’d like to discuss how our consultants could advise on any aspect of IA and cyber security, please contact Dave James, MD at Ascentor.
Office: 01452 881712