For many years, Aston Information Security has been telegraphing the risk of the supply chain and the concerns over the chain reaction triggered by a single attack on a single supplier, which can compromise an entire network of providers. Supply chain attacks are on the rise, expected to multiply by 4 by the end of 2021 compared to the previous year. This new trend emphasises the importance for policymakers and CISO’s to act quickly. Protective measures to prevent and respond to potential supply chain attacks in the future, whilst also mitigating their impact now, must be implemented as soon as possible.
According to a recent ENISA report – Threat Landscape for Supply Chain Attacks, which analysed 24 cyber attacks, robust security protection is no longer enough when attackers have already shifted their attention to suppliers. The increasing impact of these attacks, such as downtime of systems, monetary loss and reputational damage, highlights the huge risk CISOs now face.
When we work with clients, we ask them, first and foremost, to lift the lid on their cyber security processes and policies for suppliers and ask themselves…
- Do we really know where our customer’s data is?
- Do we know how the data in being processed, and what technical and organisational safeguards are in place to protect it?
- Does the supplier have strict IT policies in place and do these match our own standards?
- Do we have the right to audit them?
These critical questions must be addressed before entering into a partnership with a third party, and they must be monitored on a regular basis, or else face the huge risk of a data breach. Sadly however, this is an area often overlooked, both in terms of business investment and applied resources.
Barriers to effective supplier cyber security risk management
Recently the UK Government issued their response to the results of their “Call for Views” on supply chain cyber security and set out their understanding of the main barriers stopping organisations from more effectively managing supplier cyber security risk. They cited the following barriers:
- Low recognition of supplier risk
- Limited visibility into supply chains
- Insufficient expertise to evaluate supplier cyber security risk
- Insufficient tools to evaluate supplier cyber security risk
- Limitations to taking action due to structural imbalances
A staggering 67% cited limited visibility into supply chains as a severe barrier to managing third-party supplier risk and 53% cited a low recognition of supplier risk as another severe barrier. Since nine in ten respondents thought that ‘low recognition of supplier risk’ and ‘inefficient expertise to evaluate supplier cyber security risk’ are barriers, we can see where action needs to be taken. If leaders do not recognise the risks attached to a supply chain cyber breach, they will not invest in resource to manage it.
Respondents to the “Call for Views” detailed the limitation of skills and experience, noting that this can be a particular challenge for SME’s. The lack of skilled staff with an understanding of cyber security risk in general means there is no expert advice or guidance on managing supplier cyber security risks more specifically. This is where consultants like us come in for many, but not all businesses have the financial resources to outsource.
The recent GoDaddy cyber attack, which affected 1.2 million customers, is surely an obvious reason for IT and risk managers, CISOs, and those in charge of cyber security to persuade their C-suite that resources are needed to identify the suppliers on whom they rely and assess the information and cyber security controls in place to protect their business. The UK Government states in their response “Addressing supply chain cyber security risk requires investment from organisations, and lack of incentive to do so was identified as a significant additional barrier to cyber resilience. It is the responsibility of senior management and boards to prioritise and drive investment in this area.”
Who is responsible? You or them?
In a hyper digital, connected and networked society, cyber risks through supply chains now threaten huge infrastructure organisations like energy grids, water facilities, governments, defence infrastructure and health services alongside transportation, financial and corporate information technology systems. Over the past few years, huge names like GoDaddy, Audi, Zoom, T-Mobile, SolarWind and many more have all been victims of hackers. But when it comes down to an attack caused by a vulnerability in your supplier’s security, who exactly is responsible? You or them? It’s an age-old question that many cyber experts struggle to answer.
In reality though, when your entire reputation is at stake, would you put your trust in another company to break the news to your customers – in the correct legal way and in the compliant timeframe? Could you really rely on your supplier to manage it effectively while they themselves will be challenged internally with the other devastating ripple effects of the breach? Organisations have to question whether that in itself has the potential to increase the risk of reputational damage, potentially leaving the organisation vulnerable and without the ability to control and manage the situation effectively. That is why it is vital to be the one in control.
Don’t let your third-party suppliers be a cyber security blind-spot
According to cyber security services firm BlueVoyant, 80% of organisations they surveyed experienced a breach that came from vulnerabilities in their supplier network within the past year. Yet less than 25% of those organisations monitor their entire supply chain, and only 32% reassess their vendor’s cyber risk position every 6 months. These stats paint a worrying picture of supply chains as a cyber blind spot for security leaders. Knowledge is key – without this, how can you assess the level of exposure threat you are up against?
Cyber criminals are resourceful and resilient, moving quickly in the moment to take advantage of vulnerabilities. As your supply chains become more complex, your exposure naturally increases – and that’s unavoidable. Hackers will find ways to access and get hold of sensitive and personal data, which can have a domino effect on the rest of your supply chain network. Experian highlight the top risks of using third party suppliers as – loss of personal data, online fraud, identity threat and financial loss or damage.
In the face of this and our ongoing reliance on suppliers, an organisation’s best defence in 2022 is a robust approach to managing third-party cyber risk. This should include two main categories:
Point-in-Time Assessment
- Information and Cyber Security related certifications/audits
- Supplier Self-Assessment
- On-site Assessments/Audits
On-going TPRM Monitoring
- Open Source Intelligence (OSInt)
- Cyber Security Ratings
How can we help?
There are a number of tools available to understand and convey the cyber risk exposure to suppliers/vendors. To find out how we can help you secure your supply chain through effective information security solutions, click here or get in touch.