Do Companies Really Understand The Cyber Security Risk Of Outsourcing?

Find the weakest link and exploit it. Nothing new there for a cyber attacker’s strategy.  But with the interconnectivity, we have nowadays and the reliance on the supply chain, cyber security assurance is essential and required. One weak link can open the chain up and downstream.  A reliance on a contract saying the supplier will keep the data safe is not good enough.  Plus, in any case, of course, they will say “Yes” to that element – would you sign the contract with them if they said “No”?!

Typical supply chain cyber security activities for minimising risks often include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.

However, can you really be sure your supply chain is secure? Do companies really understand the risk they are taking on when they choose to outsource? And what about scope creep?  i.e. the service a supplier provides now is so much bigger than when they were initially vetted a few years before.

 

Cyber security assumptions in the supply chain

 

Amazingly, many companies do the bare minimum of due diligence on their supply chain. Often, the entire supply chain protection mechanism of a business is simply to require suppliers to complete a written checklist. Needless to say, that hardly delivers the protection needed.  “Do you have an information security policy?”.  All a supplier may do is download one from the internet and “Hey presto”, they can tick that box.

CISO’s also have to be aware of false claims, or claims that imply a higher level of cyber security than suppliers actually have. For example, there are a number of suppliers claiming “data stored in an ISO27001 environment” giving the impression they are IS027001 certified when they are actually piggybacking on AWS or Google Cloud’s ISO27k certifications. In this case, the supply chain is not ISO27001 certified. Another phrase we have seen used in abundance is the claim that “we are compliant with ISO27001”, which is being interpreted by companies assessing potential suppliers as holding ISO27k – this is very different to being “compliant” with the standard and definitely shows a gap that needs to be looked into more carefully.  Should a company that tries these tactics raise more alarm bells than provide comfort?

 

A full supply chain cyber security risk assessment is vital

 

It’s clearly essential for CISO’s to identify how their supply-chain partners may, unintentionally, compromise their business to be able to understand how to protect themselves. As the outsourcing trend grows, the supply chain information security risk rises, often unknowingly, and these symbiotic relationships unwittingly expose sensitive aspects of the business. Yet this overlooked weakness has then opened up opportunities for state actors and cybercriminals to establish a foothold in their target organisations.

Take for example Quest Diagnostics who in 2019 identified that for 7 months it had the sensitive data of over 11 million patients accessed by an unauthorised actor at the American Medical Collection Agency.

The supply chain is also a popular target for attackers looking to compromise an enterprise-sized company. European aerospace company Airbus found itself on the receiving end of a particularly large coordinated attack on its vendors in recent years. With evidence pointing to a national level attacker, this case demonstrates why it is vital for small businesses to take supply chain cyber security just as seriously as their larger counterparts.

The lesson learnt from the above scenarios is clear: the cybersecurity of a supply chain is only as strong as its weakest link, and a security breach in any part of the supply chain will likely have an adverse impact on the rest of the supply chain.

 

Look beyond the boundaries of your own cyber security

Organisations must consider and manage cyber risk in a holistic manner, looking well beyond the boundaries of their own systems, policies and processes. Your organisation must not be the weakest link in the supply chain.

Even when your business is protected by sophisticated security tools, CISO’s can never be certain their third party suppliers also have the same standards of protection in place.

The challenge in 2020 is that third-party risk management is typically underfunded, understaffed and poorly supported, often replaced by checklists and tick-box exercises that are not thought through enough. Though according to a survey conducted in 2018 by the Ponemon Institute, 56% of organisations have had a breach that was caused by one of their vendors.

A holistic view needs to take into account such things as supply chain manufacturers using off-the-shelf firmware where vulnerabilities can be targeted by hackers and any source code being used should be validated to ensure it cannot be modified by cyber attackers. Regular threat intelligence should be gathered and monitored and acted on immediately if deemed to be a potential issue to the business and its supply chain in turn.

The time to make supply chain security enhancements a priority is now. A well-structured supply chain information risk assessment approach can provide a detailed, step-by-step approach to ensure every aspect is covered. This assessment should be information-driven and not supplier-centric, so it is scalable and repeatable across the organisation.

Find out more about our Third-Party Auditing services and how we can help you secure your supply chain.