The National Cyber Security Centre (NCSC) recently identified the supply chain risk as a key cybersecurity concern boards should be addressing. Arno Robbertse Cyber Security Director from ITC Secure tells us about a new approach organisations can take to assess risk across their third-parties.
The business world is built on a sprawling and complex web of relationships that can include dozens of different suppliers and partners that produce materials, provide logistical support, sell goods, generate ideas and more. The accelerated digitalisation that has taken place over the last two decades means that these webs of companies are more closely linked than ever before.
However, while this digital connectivity allows for greater agility and collaboration, it is also exposing organisations to ever greater levels of risk. In fact, a recent report by The Ponemon Institute found that 65% of breaches originated from a third party, with 75% of respondents saying that this figure is increasing.
Cybercriminals will often target smaller and less well-defended organisations to circumvent the stronger defences of companies they do business with and there have been several prominent cases of large companies being hit by breaches that began with smaller partners, in recent years.
To have a chance of keeping their infrastructure secure in the face of so many possible attack vectors, organisations must have visibility and quantitative metrics of security across their vendor supply chain. This will make it possible to manage risk and extend internal security diligence to third-party partners.
What are the biggest third-party risks?
The scope and interconnectivity of even a moderately sized business’ supply chain can present a huge number of opportunities for attackers to exploit the relationship and launch a cyberattack.
Five of the most prevalent risks are:
Phishing – Deceptive emails have become the go-to attack medium for most cyberattacks today. Criminals routinely impersonate trusted suppliers and contacts to trick victims into giving out fraudulent payments or data. If a smaller supplier is compromised, the attacker could also take control of their emails to deliver extremely convincing emails or use their credentials to directly access the network.
Infected software – Emails are also often used to deliver malware. In the manufacturing sector for example there has been a series of attacks using malware-infected industrial control systems (ICS) which begin through phishing emails in the supply chain before attacking critical systems.
Cloud and IoT – The increased use of cloud solutions and connected devices has created a very fluid and malleable cybersecurity matrix for the cybercriminal. Gartner has predicted that by 2020, 90% of spending on supply chain management will be on cloud solutions, creating an increasingly vast attack surface.
Watering hole attacks – These are based on compromising favoured sites within the extended supply chain such as partner portals. Visitors will be hit by hidden malicious script which will often covertly download additional malware such as Remote Access Trojans (RATs) which will establish access to their systems.
Mergers and acquisitions – The extremely complicated process of merging two company’s assets and supply chains can easily lead to exposure points being overlooked, and imminent and on-going breaches can be lost in the shuffle. Criminals can use the disorder to extend breaches while escaping notice.
Meeting compliance demands
Aside from the need to protect customers’ personnel, intellectual property and finances from malicious attackers, organisations must also meet an increasingly stringent array of data and security-related regulations. This compliance extends to the management of cyber-risk within the supply chain. Many industry-specific and wider regulatory frameworks also require that supply chain members are checked and adhere to their requirements. It is therefore essential that vendor risk management and compliance management are on the same page.
The General Data Protection Regulation (GDPR), which came into effect in May, is both the most recent and one of the strictest sets of regulations to enter the market. The legislation holds companies responsible for protecting the personal data of their customer and personnel no matter where in the life cycle or supply chain it is. This means a company will still be liable even if data is lost because of a third-party data processor suffering a breach, making supply chain diligence more important than ever.
Several other prominent regulations and guidelines also now hold organisations directly responsible for the shortcomings of their suppliers and partners, such as the Health Insurance Portability and Accountability Act (HIPAA) in the US, the Financial Conduct Authority (FCA) and NIS Directive.
Measuring the risks
Quantifying the potential risks presented through third parties has long been a difficult and often unreliable task. A longstanding approach to measuring third-party risks has been to use lengthy in-depth questionnaires to assess initial partner risk, sometimes followed by periodical surveys to monitor ongoing threat.
While this can help to reveal possible security concerns, the approach will only yield a ‘point in time’ snapshot of the company at the time of assessment. As these surveys tend to be very manual processes that are resource heavy, most companies will only conduct them on an annual or bi-annual basis, leaving considerable room for threats to emerge in between.
Organisations can overcome these blind spots by making risk assessment an ongoing process rather than a static snapshot. With some companies maintaining dozens or even hundreds of contacts, this may seem like an impossible task. However, this can be managed by creating a prioritised list of vendors based on elements such as their current risk posture, importance to the company and access to critical data and systems.
The higher priority companies may warrant monthly assessment, while those that pose little threat may require only annual surveys. Third parties that have a critical level of importance or risk could even be assessed in real time.
Measuring third party risk will also be made easier by integrating security and vendor procurement policies. There should be strictly defined risk thresholds depending on a vendor’s importance and access to essential assets, and contractual obligations to fix any security issues that emerge.
To make this approach work, an organisation will need to have a thorough understanding of its own IT infrastructure and how confidential information is accessed and shared internally and externally. Assessment needs to focus not only on a vendor’s technology, but also its security and risk policies and how well they are followed and enforced.
As comprehensive and on-going risk monitoring will often require a great deal of time and specialist experience, it can often be beneficial to take on an independent expert to set up and maintain the process with a managed service approach. This will ensure that any risk alerts are backed with professional analysis to provide a clearer insight into potential risk and will also make it easier to provide expert guidance to third party vendors that need to improve their security. Using an independent service provider can also make it easier to take an impartial view when benchmarking against industry peers and tracking trends.
By equipping themselves with a thorough understanding of their supply chain of third-party partners and suppliers and the potential risks these relationships represent, organisations can identify any vulnerabilities before they can be exploited by attackers.