Originally published on 11 Jan 2019
Updated on 10 Nov 2021
How Would You Deal With a Cyber Incident in Your Supply Chain?
According to the Allianz 2021 business risk barometer, the top global threat to organisations is business interruption, at 41%. Not far behind in third, at 40%, is cyber risk, up from 39% the previous year. So what happens if you combine supply chain risk with cyber risk?
How would your organisation cope if one or more of your key suppliers suffered a mid-level or even a catastrophic cyber incident, either from a systems failure or from some form of cyber attack or data breach? From the details in the report, cyber incidents remained one of the top risks for mid-size organisations for 2021.
Optimising IT takes a look at how a security breach and a supply chain weak link could impact your business and what you can do to better manage your supply chain and protect yourself against potential investigations.
What Can We Take Away from the Rise in Cyber Incidents?
There are lots of numbers and stats. But what can we take away from these figures and how can we apply them to our own organisations? Actually, we can learn a lot from these figures, depending on your organisation and how you use suppliers to deliver your business operations.
Many organisations use supply chains in some capacity or another. Some supply chains — especially in IT — have become so big and ubiquitous that the thought of a cyber incident having an impact seems far-fetched at times as things generally just work. But, large cloud providers have suffered incidents that have resulted in loss of service and, in some cases, loss of data.
If there is a significant outage at a major cloud provider, we suggest it will affect a huge number of businesses to the point that it would have a widespread financial impact. For this reason, the major cloud providers are focused on ensuring there is a very low probability of their SaaS services going totally offline. They ensure this doesn’t happen by spreading themselves out over continents and spending a huge amount on cyber security.
Be Prepared for Anything
All in all, we don’t worry too much about our email not working, and neither should you. You should, of course, be prepared in the highly unlikely event it does stop working. Make sure you take backups, keep your DNS at another provider and have appropriate contingency plans in place. For belt and braces, you could always utilise multiple providers.
Is Cloud Hosting More Secure Than Hosting Yourself?
Now, major cloud providers and their SaaS offering aside, what about hosting your servers in the cloud — are they more secure than if you host them yourself? The reason we raise this question is that while those major providers spend an awful lot on security — and there is a fairly low risk of someone physically stealing “your” server — the amount of extra protection you can gain from hosting in the cloud is hugely variable. The additional security you can gain depends on your chosen configuration, security mechanisms, ongoing patching, IPS, vulnerability scanning and pen-testing. However, let’s not forget, all of the security you have in place won’t help much if you have a rogue employee in your midst. After all, every organisation is only as strong as its weakest link.
What Does Cloud Hosting Have to Do with Cyber Incidents in Your Supply Chain?
Well, a lot. The reasons can be many depending on your organisation but consider the following scenario. You are a small or mid-size organisation, who, for example, has an eCommerce website you have outsourced the running of to another SME-sized “specialist” in this field. The outsourced partner will handle the development for you, integrate with a third party to handle the actual payments and host it for you in the cloud. Great: a turnkey solution from a trusted professional organisation.
Fast forward a little and the authorities get in touch to inform you they suspect there has been a breach on your eCommerce website due to a high incidence of fraud by people who have reported buying widgets from you. You may have outsourced the work, but you can’t outsource the responsibility. The authorities now require you to react, notify your customers, carry out a forensic investigation and, of course, fix the problem. You also then start your own internal review to understand the situation.
Poor supply chain management will come back to haunt you if you aren’t on top of it. Therefore, it is important to have supply chain partners who you can trust.
What Happens If Your Trusted Supplier Goes Radio Silent?
It could be even worse if the forensic investigation into your supply chain didn’t turn up anything, as someone at the “trusted partner” deleted all of the application and system logs, so there is no longer any evidence of anything. The upshot of such a situation is potential regulatory fines, fines from the card issuers, loss of reputation, loss of customers and now, under the new Data Protection Act, the possibility of a group civil action. Ouch.
A Payment Breach with Your Key Supplier Could Hugely Impact Your Organisation
Not to mention, your key supplier doesn’t have a Disaster Recovery plan and their infrastructure has no resilience built-in. Great. Your £10 million turnover business and 100 staff are dependent on hope and a promise.
Does this sound like a made-up scenario? Well, as it happens, truth is stranger than fiction.
Any organisation that runs critical services for you or has copies of, or access to large amounts of your business and customer data, could (and we stress could) have such an impact on your organisation as to render it inoperable.
The scenario above is just one of many potential outcomes caused by not understanding your organisation’s risk profile, where, unfortunately, it appears as though your entire supply chain is increasingly near the top of that risk profile. With external risks that sometimes feel out of your hands, it is important to come up with mitigation strategies.
What Can You Do About Risks?
It may sound like a cliché, but look before you leap. The scenario above could be avoided and certainly have its impact lessened by understanding your supplier’s risk profile and approach and whether that fits with your own. You can also mandate certain requirements from your suppliers in terms of their own cyber security approach. Cyber essentials should be your minimum threshold for any supplier and those handling or processing card payments on your behalf should implement the appropriate level of PCI DSS. We would also insist on having this verified by a qualified security assessor or PCI QSA.
You should also ensure that your own house is in order: incident response plans, insurance and the right people with the right skill sets and authority in place to manage anything that may happen.
Make no mistake, managing your supply chain if they are on your critical path can be a time-consuming and complex task, yet better to do it as prevention than a cure.
Our Top Tips for Supply Chain Management
- Carry out as much due diligence as possible to check the potential risk profile of the supplier depending on the service they are carrying out for your organisation. Then assess how your organisation would be affected should an incident happen to the supply chain.
- Trust, but verify. Always check out claims and certifications. It’s entirely possible to have a PCI report on compliance with a very low scope, only covering a small section of the requirement. It doesn’t mean a supplier is certified, for example.
- Check, then check again. Because you vetted a supplier five years ago and they were excellent, it doesn’t mean they still are. Good supply chain management, like good information security, is something that is a continuous process.
- Get some independent, unbiased help. There is a huge amount of value in getting someone independent to give a balanced view on the status of your supply chains — not least because Information Security auditing isn’t likely to be your day job.
Here at Optimising IT, our cyber security team is helping an increasing number of organisations by providing independent supplier security reviews and ongoing supplier management using our proven framework.