A reality of doing business in the digital economy is that suppliers and third parties are an integral part of an organisation’s infrastructure – a fact that only increases the need for vigilance throughout the supply chain, says George Scott, Director in KPMG’s Cyber Security team.
- Complex and inter-connected supply chains are increasing the risk of cyber attack and the need for greater vigilance.
- Many organisations are unaware and ill-prepared for the threat levels posed by the weakest links in their supply chain.
- Creating a cyber-resilient supply chain can be one of the toughest jobs in the current business environment.
- Cyber Essentials accreditation is a Government-backed scheme to help organisations implement a set of technical controls that should provide basic protection against the most common cyber threats
Our world has never been more connected than it is today and the rate at which new connections are being made has never been faster. Estimates say it is some seven or eight years since the number of devices connected to the internet exceeded the number of people on earth. If you consider the number of internet enabled devices you now own (you’re probably reading this on one!), you’ll notice how dependent we’re all becoming on being connected.
This is true for business and our economies too. The pressure is on to offer digital services, to reach more customers, to understand your customer’s preferences and patterns of behavior, and to be available for business 24/7! Initially, the drive was for online retailers to offer convenience shopping through attractive websites that were ‘sticky’ and held your customers attention. Today, the need for internet based connectivity and the opportunity to derive significant benefits extends well beyond the retail sector. Businesses operating in sectors such as manufacturing, energy and resources, healthcare and even agriculture, are finding ways to cut costs, improve efficiency and gain access to new markets by connecting to one another and sharing information. This creates a chain of connectivity with links to third parties, fourth parties and often far more than that. Interesting, certainly from the perspective of a cyber-criminal!
Cyber-criminals will usually look for a weak link in any supply chain, and if they find one, will try to exploit it and potentially wreak havoc. If you work in a business that owns sensitive information, such as high-value intellectual property, customer information or company plans/strategy (most do), or it’s important that your computer systems don’t ‘go down’ for a prolonged period, then knowing who has access to your systems or data is of the utmost importance.
Does a new connection introduce new risk?
However, many companies aren’t fully aware of the scope and seriousness of the issue.
Every year large companies fall victim to supply chain attacks: One method which has been employed by criminals in the past included use of network credentials stolen from a service providing company. Criminals obtained the login credentials from the service provider, who had access to a larger company’s network, and used them to install malware onto its payment system. This malware stole the credit card details, sending them via technology staging posts onto computers held in another country. It was a breach that saw the debit and credit card records of some 40 million customers stolen.
Developing cyber resilient supply chains can be one of the toughest, yet most important, jobs in the current business environment mainly due to its requirement to technically monitor data exchanges throughout a constantly changing and complex chain of suppliers. It can seem like a never-ending and unenviable task, but it has to be done or the security of an organisation, including its highly sensitive data, may be compromised.
Allowing suppliers, business partners or other third parties to integrate can come with serious risks and is not a decision that should be taken lightly. It requires forensic attention to detail right down the line to make sure your suppliers have systems and networks that do not pose a threat before they are allowed to connect.
What standards could you apply?
One approach involves adherence to minimum standards for third parties before allowing them to connect. There are several standards to choose from. In addition, there can be a requirement for “assurance” in the form of verified certification relevant to the sector or service provided. This philosophy has been adopted by the UK Ministry of Defence (MoD) and may act as a template for organisations in the commercial sector looking to secure their supply chain.
The MoD has stated that from 1st January 2016 any new contracts which require the transfer of identifiable information from customer to supplier, (1) or the generation of information in support of a contract, will require the supplier to have Cyber Essentials accreditation. Cyber Essentials is the Government-backed and industry-supported scheme to guide businesses in protecting themselves against cyber threats.
The MoD also expects this certificate to be renewed annually and that this requirement is flowed down the entire supply chain.
By implementing such contractual obligations, the MoD can gain comfort that an acceptable set of cyber security controls are in place, providing a level of assurance that companies within the supply chain are reasonably secure. Additional requirements can also be applied where there’s a need for more stringent security.
In the commercial world, cyber certification can act as a positive differentiator. Whether the relationship is B2B or B2C, continued press reporting of security breaches and regulatory interest make it likely that we’ll see increasing demands for evidence companies have taken security seriously and can be regarded as ‘trustworthy’.
However, certification on its own is not enough. The ever-changing technology landscape and high-paced ingenuity of cyber-criminals means that cyber security within the supply chain must be a continuous task. What may be considered secure one day may be insecure the next. Without the right level of vigilance, system vulnerabilities and the opportunities to exploit them can be communicated rapidly among the criminal community.
Key questions for businesses to ask themselves are:
- Do suppliers have access to data critical to our business?
- Does the data they have access to have a potential black market value?
- If a breach occurs, can a forensic trail of access and onward transmission be uncovered to identify what data has been stolen, copied, lost or compromised and the potential effects of this?
What about ‘the cloud’?
The development of cloud based services has brought some attractive business benefits that include reduced operating costs, consistency of service and strategic flexibility. But organisations still have to think seriously about the nature of the service they are using and what controls are in place to protect data. For example:
- Is it critical information?
- Is it personal data?
- Is it a service that will be available 24/7?
- Do ‘enhanced’ controls need to be agreed with the service provider?
Control should not mean lost opportunity!
One important challenge in building and maintaining a cyber-resilient supply chain is achieving this while supporting business development and contributing to value creation. There are potential benefits to all parties in getting this right: the business, suppliers, customers, regulators, etc.
All too often, security teams focus on the downside when creating security plans. What could go wrong? What’s the worst case? What do we need to prevent?! Far more impactful in terms of gaining executive support is to consider how plans, such as building a cyber-resilient supply chain, can help the business achieve its goals. Therefore, consider questions such as:
- How will this increase systems/service reliability?
- How could this differentiate us from our competition?
- What costs can be taken out or avoided by this?
- How can we leverage the benefits of leading good practice in our sector?
It’s important to remember cyber-resilient chains need to go beyond immediate third parties and down the entire supply chain. Businesses are often surprised when they discover how many suppliers outsource services to fourth parties and beyond.
Any party that is connected down the line needs to be assessed. If they cannot meet the levels of information assurance, cyber security, data protection or legal governance required, then the business has a tough decision to make. After all, your supply chain is only as strong as your weakest link.