Supply Chain Cyber Security – defeating the weakest link (Part 1)

Cyber chain 2

 

 

 

 

 

 

 

 

It’s an everyday story but it could happen in your business – right under your nose and far more easily than you could have imagined. Who’d have thought that a contractor would cost millions in lost revenue and nearly bring the business to its knees? But that’s what a weak link in your supply chain cyber security can do.

Picture the scene… Brian parks in the street around the corner from work and walks down the side of his company building. The back door, propped half open by the fire extinguisher, makes entry a breeze. He takes off his balaclava and walks down the corridor to the server room. Brian provides IT support to this and other local companies and, as IT system administrator, he has the keys to the server room door…

In a matter of seconds, he attaches the flash drive to the database server to download a backup of the product design that he knows the company has been working on. He pockets the drive and then leaves – as easily and as undetected as he’d entered. The man in the pub had promised him a monkey for the design information. He’s not sure what he will do with a medium-sized primate, but reckons he’ll just sell it to a zoo and get some cash instead.

What does it all mean?

In simple terms, supply chain security (without the cyber bit) means ensuring that the critical components used to develop and deliver goods and services to customers are available when they need to be and are of the right quality.

Supply chain cyber security is very similar – it is about ensuring that an organisation’s critical information and business systems are not compromised or disrupted by any third party suppliers. It’s a topic of increasing and serious concern for both commercial companies and government organisations. They need protection from people like Brian as well as much more sophisticated attackers. And this is on top of other concerns such as the stupidity and ignorance of staff in supply chain companies, as well as just bad luck.

Organisations, particularly large ones, have always relied on suppliers for critical services to some extent, often for functions involving sensitive information such as finance, HR and legal. Typically, only limited consideration has been given to how this information has been protected. The cyber security aspects of supply chain management have been sidelined for some time for a number of reasons:

  • The extent of outsourcing of support functions has been relatively constrained
  • Cyber security threats from the supply chain have either not been realised to a significant extent or, more likely, have not been understood
  • Organisations have been busy focusing on internet-based threats to their business instead

What has changed?

Over the past 10 years the way that business is conducted (and the cyber threats it faces) has moved on considerably:

  • Many more organisations are outsourcing more key functions (such as IT support) to reduce costs
  • Significant impacts from supply chain cyber security compromise have been reported for organisations such as Target , PA Consulting and Sage and large numbers of organisations have been compromised through the Energetic Bear/Crouching Yeti hack
  • There is a growing recognition that the supply chain is often the weakest cyber security link

Organisations want to reduce costs, so it makes sense to outsource services to specialists that can offer economies of scale (such as cloud providers) or expertise too expensive to maintain in-house (such as legal support).

One of the consequences of this approach is that the organisation’s information and, critically, often that of its customers, is now potentially exposed to a wider group of people. With responsibility for information security remaining with the originating organisation, it now has to consider – does the umbrella of protection extend to the outsourcing providers?

Government organisations have had a requirement to consider the cyber security consequences of outsourcing under information security policy since 2008 (Security Policy Framework). The current version of this policy requires that government organisations will have“arrangements to determine and satisfy themselves that Delivery Partners, service providers and third party suppliers, apply proper security controls…” Government organisations are assessed annually on their compliance with central security policy and therefore have to take action to meet this requirement.

Managing supply chain cyber risk

Over the past two to three years there has been considerable effort in government organisations to understand, and then to manage, supply chain cyber risk.

The Cyber Essentials Scheme was introduced and has been mandated for some government contracts since October 2014. The Cyber Security Model is being implemented in the next couple of months for the defence industries and will require supply chain companies to demonstrate to the MOD that their cyber security is mature enough to meet the requirements.

Outside of government (but very relevant to public sector procurement), IA Inside from Ascentor has been developed to help buyers and suppliers make cyber security holistic, integrated and effective throughout the project lifecycle.

The principles of the Data Protection Act 1998 require that personal information is protected at all times and this responsibility lies with the data owner, regardless of who else is given access to the information. Other industry regulations, and increasingly contractual conditions, require that information is protected at all times.

What does this mean for your organisation?

If you outsource services to external providers you need to have an understanding of who has what aspect of your information and then determine how much it matters. You should do this because not protecting your critical information leaves your business exposed to fines under the Data Protection Act or to theft, loss or corruption of the data by cyber attackers.You will probably need to do this as well because of legal, regulatory or commercial contractual requirements.

If you are a supply chain company you need to demonstrate to clients that you are a ‘safe pair of hands’ and that customers should choose your services over competitors because your offer a solution that covers their information security requirements. Increasingly, you will have to do this because the customer will make it a contractual condition. Do you jump or wait to be pushed?

Coming next…

Compromising your cyber security shouldn’t be this easy for Brian. That’s why, in Part 2 of this exploration of supply chain cyber security, we will look at what organisations can do to improve their management of this important issue. As the Chinese philosopher Confucius said “When you understand where your sensitive information actually is then you will be on the path to true enlightenment, Grasshopper.”

For further information

If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter .

If you’d like to discuss how ourconsultants could advise on any aspect of IA and cyber security, please contact Dave Jamesat Ascentor.

Email: [email protected]

Office: 01452 881712

Web: ascentor.co.uk

Other posts you might like

Cyber Insurance – can you ever be fully covered?

Ransomware – Back up or Pay up – 6 top tips for SMEs

An ounce of prevention could be worth a ton of cyber attack cure