Why cyber security in the supply chain remains a hot topic
By Matthew Tyler, CEO, Blackfoot
The National Cyber Security Centre (NCSC) outlined in its ‘The Cyber Threat to UK Business Industry 2017-2018 report’ that the supply chain presents an increasing threat to organisations, no matter how robust their internal cybersecurity strategy is.
To confuse matters, there are 2 NCSCs: The U.K. National Cyber Security Centre and the US National Counterintelligence and Security Centre. The good news is that they are both warning of the same thing; an increased risk of cyber-attacks with threat actors specifically targeting supply chains, partner organisations and third parties, as an unguarded source of attacks.
As organisations close their cyber windows and doors, increasing their levels of perimeter security, threat actors move to find the next weakest link in the chain. The supply chain, or more broadly, partner companies, which in many cases consists of organisations who are smaller and have less budget, resource or expertise for cybersecurity, has become an obvious target.
Examples of cyber incidents caused by attacks via the supply chains are numerous and increasing quickly. The September 2018 British Airways (BA) data breach is a perfect example of this. BA was hacked, the attackers changed the code sent to merchants diverting user traffic to a fraudulent site. Through this false site, customer details were harvested by the attackers and the personal data of approximately 500,000 customers were compromised.
Data breaches and the loss of the availability of critical systems are the top 2 issues both NCSCs are warning of.
In our experience, it is still rare for a large enterprise to be able to answer these 3 basic questions.
- What data do we hold?
- Do we know where it all is?
- Do we know who has access to our data?
With increased sharing of data, interconnectivity and outsourcing of services, these questions are becoming harder and harder to confidently answer.
For UK businesses, the changes to legislation make legal redress from regulators and affected customers or staff far easier and have therefore increased the value of the data as well as increasing the risks to that data.
At a time when managing data protection has never been more important, the question of your partners’ security is one that should be answered because if the worse happens, no-one will care if it was caused by a partner and as the data controller, your organisation will be liable.
The traditional approach
Managing supply chain risk was traditionally managed through spreadsheets, by issuing questionnaires and in some cases performing onsite audits. The problems with this approach are many and include a lack of budget and resource to manage the process, the quality and accuracy of information coming back from the partner, identifying, communicating and negotiating on the level of security the partner should have, and effectively managing what can often be thousands of suppliers and partners.
With most organisations needing to show ‘improving’ supply chain management under Data Protection Act 2018 and GDPR, along with most industry regulators looking for an improvement in the industry’s approach to cybersecurity, time is running out for the traditional way of doing things and it’s not something your information security team can do in isolation.
With a need to move to more of a partnership approach, large organisations are viewing partners and suppliers as an extension of their own business, lending support and assistance, sometimes tools and technology to improve the partner’s security. A good example of this is the introduction of cyber assurance tools to the process, giving all parties simple to understand, consistent method of measuring what’s needed to stay secure.
In addition, businesses are recognising this as a business issue and increasingly involving legal and procurement departments to educate them on the importance of partner cybersecurity and working with them to introduce due diligence into their boarding / contracting processes.
Blackfoot is hosting a webinar explaining what regulators are looking for and how the most mature organisations are looking to manage cyber risks in their supply chains.
A smarter approach.
At Blackfoot, we take great pleasure in problem-solving and using some creative thinking to make things better.
Here are our top tips for better managing your partner/ supplier risk:
- Identify which partners present the largest risk to your organisation. You might consider the services they provide, the system access they have, the data they access and the criticality of the service they provide.
- Use cloud technology such as Blackfoot Risk Scorecards to risk rate your partners. Blackfoot Cyber Security Scorecard enables businesses to monitor cyber risk and supply chain risk by performing non-intrusive risk assessments. It converts publicly available data into actionable risk intelligence in the form of a scorecard
- Spend some time with your legal and procurement departments to educate them on the importance of cybersecurity of your partners and work with them to introduce due diligence procedures