Is there a weak link in your supply chain?
How would you deal with a cyber incident in your supply chain?
According to the Allianz 2018 business risk barometer, the top global threat to organisations is business interruption, at 42%. A close second, at 40% is cyber risk, up from 30% in the previous year. If the same increase in percentage term occurs for the 2019 barometer, cyber risk will account for 53% of total business risk.
So what happens if you combine supplier risk with cyber risk?
How would your organisation cope if one or more of your key suppliers suffered a mid-level or even a catastrophic cyber incident, either from a systems failure or from some form of cyber-attack or data breach? From the details in the report, cyber incidents rise to the number one risk for mid-size organisations for 2018.
What can we take away from this?
Lots of numbers and stats, but what can we take away from this and apply to our own organisations? Actually, a lot can be taken from these figures. As always, it does depend on your organisation and how you use suppliers to deliver your business operations. What we can say is that many organisations use a supplier in some capacity or another. Some suppliers, especially in IT, have become so big and ubiquitous that the thought of a cyber incident having an impact seem far-fetched at times as things generally just work, but, both of the large cloud providers have suffered incidents that have resulted in loss of service and in some cases, loss of data.
If there ever is a major outage at either of the major cloud providers, we suggest that it will affect a huge number of businesses to a point that it would have widespread financial impacts. So much so, the major cloud providers are keenly focussed on ensuring there is a very low probability of their SaaS services going totally off line, on the basis that they spread themselves out over continents, spend a huge amount on cyber-security, and are among some of the most highly valued organisations in the world.
All in all, we don’t worry too much about our email not working, and neither should you. You should of course be prepared in the highly unlikely event it does stop working. Make sure you take backups, keep your DNS at another provider and have appropriate contingency in place. For belt and braces, you could always utilise multiple providers.
Is cloud hosting more secure than hosting yourself?
Now, major cloud providers and their SaaS offering aside, what about hosting your servers in the cloud – are they more secure than if you hosted them yourself? The reason we raise this is that whilst those major providers spend an awful lot on security, and there is a fairly low risk of a someone physically stealing ‘your’ server, the amount of extra security you can gain from hosting in the cloud is hugely variable, and depends very much on your chosen configuration, security mechanisms, ongoing patching, IPS, vulnerability scanning, pen testing and let’s not forget, all of the security you have in place won’t help that much if you have a rogue employee in your midst.
Great, so what has all that got to do with Cyber incidents in your supply chain?
Well, a lot. The reasons can be many depending on your organisation but, consider the following scenario: You are a small or mid-size organisation, who, for example, has an e-commerce website that you have outsourced the running of to another, SME sized ‘specialist’ in this field. The outsourced partner will handle the development for you, integrate with a third party for handling the actual payments and host it for you in the cloud. Great: a turnkey solution from a trusted professional organisation. Fast forward a little and the authorities get in touch to inform you they suspect there has been a breach on your e-commerce website, due to a high incidence of fraud by people who have reported buying widgets from you. You may have outsourced the work, but you can’t outsource the responsibility. The authorities now require you to react, notify your customers, carry out a forensic investigation and of course, fix the problem. You also then start your own internal review to understand the situation.
Now what happens if your trusted supplier, whom you have been using for years goes radio silent?
Even worse, the forensic investigation didn’t turn anything up, as someone at the ‘trusted partner’ deleted all of the application and system logs, so there is no longer any evidence, of anything. Upshot of such a situation: potential regulatory fines, fines from the card issuers, loss of reputation, loss of customers and now under the new Data Protection Act, the possibility of a group civil action. Ouch.
So, a payment breach at your key supplier could have a huge impact on your organisation.
Not to mention, they host on physical tin, don’t have a Disaster Recovery plan and their infrastructure has no resilience built in. Great. Your £10 million turn over business and 100 staff are dependent on hope and a promise.
Does this sound like a scenario that is made up? Well, as it happens, truth is stranger than fiction.
Any organisation that runs critical services for you or has copies of, or access to large amounts of your business and customer data, could (and we stress could) have such an impact on your organisation as to render it in-operable. The scenario above is just one of many potential outcomes from not understanding your organisations risk profile, and increasingly suppliers are at the top of that risk profile.
What can you do about it?
It may sound like a cliché, but, look before you leap. The scenario above could have been avoided, and certainly its impact lessened by understanding your suppliers own risk profile and approach, and if that fitted with your own risk profile. You can also mandate certain requirements from your suppliers in terms of their own cyber security approach. Cyber Essentials should be your minimum threshold for any supplier. Any supplier handling or processing card payments on your behalf should implement the appropriate level of PCI DSS. We would also insist on having this verified by a Qualified Security Assessor, or PCI QSA.
You should also ensure that your own house is in order: Incident response plans, insurance and having the right people, with the right skill sets and authority in place to deal with anything that may happen.
Make no mistake, managing your supply chain, in particular if they are on your critical path, can be a time consuming and complex task, yet better to do it than not as prevention is always better than a cure.
Our top tips for supplier management
- 1. Check things out. Depending on the potential risk profile of the supplier, what they are doing for you and the impact an incident that happens to them could have on your organisation, carry out as much due-diligence as possible BEFORE going live.
- 2. Trust, but verify. Always check out claims and certifications. It’s entirely possible to have PCI report on compliance that has a very now scope and only covers a very small section of the requirement. It doesn’t mean a supplier is certified for example.
- 3. Check, then check again. Because you vetted a supplier 5 years ago, and they were really good, it doesn’t mean they are still really good. Good supplier management, like good information security, is something that is a continuous process.
- 4. Get some independent, unbiased help. There is a huge amount of value in getting someone independent to give a balanced view on the status of your suppliers. Not least because Information Security auditing isn’t likely to be your day job.
Our Cyber-security team is helping an increasing number of organisations, by providing independent supplier security reviews and ongoing supplier management using our proven framework.
To find out more explore cyber-security services, or call us on 01242 505470 and we’d be happy to discuss your requirements with you.
Author: Todd Gifford, Certified Information Systems Security Professional (CISSP), Head of Consultancy at Optimising IT.