Supply chain companies should form part of your security culture, says Rory Duncan, Head of Security at the data analytics company Dimension Data UK&I.
The supply chain is the new weak link in your organisation’s security, and failure to address your frailties could seriously stunt business growth. The most dangerous threat actors in the cybersecurity theatre are opportunists, enticed by low-risk and high-reward opportunities. But encouragingly, these attacks are becoming less common in leading business sectors as investments into security start to bear fruit. For example, outsourced incident response engagements against financial institutions – the most targeted sector in 2016 – have dropped off significantly.
The result? Cybercriminals have been forced to look further afield. Company perimeters no longer end at the firewall. Today’s interconnected world has not only created many new opportunities and tools for companies, but also more entry points for criminals to gain access. And the supply chain has become one of the chief victims, where security cultures may not be as dynamic, mature, or well-funded.
Supply chains also offer more opportunities, particularly in the business and professional services sector. For example, breaching a supplier to a lawyer’s network presents cybercriminals access to details about many different customers, not to mention other sensitive data that would otherwise sit behind a company’s more formidable defences.
Research from NTT Security’s Global Threat Intelligence Report found business and professional services topped the list of most attacked sectors in EMEA, receiving a staggering 20pc of all attacks. Supply chain risks have been catching digital businesses off guard, and a whole list of companies have fallen prey to ransomware and other cyberattacks.
Why is the supply chain so tempting to cybercriminals? Supply chains are becoming very attractive targets, for several reasons:
Companies often don’t regard supply chain security as their problem.
Policies implemented at companies often don’t reflect on the value of data available in the supply chain.
Smaller companies may lack the means and incentive to invest in security.
Supply chains expand the potential number of user targets, who are often undereducated about data security.
Services companies, or more prominently the supply chain of service companies, have access to the information of multiple businesses.
This issue is compounded by a lack of visibility and control. As much as a company’s ecosystem extends to its service partners, it’s not as simple to extend policies and other controls to that level.
Most security implementations fail because organisations don’t implement proper processes and user education alongside security technology. This is a challenging balance to strike for large, security mature companies, and smaller businesses may that may not have the same level of awareness about the potential impact of less robust cybersecurity measures. Many supply chain attacks use malware as their preferred weapons, which often rely on user error to activate them inside a company. User-orientated malware such as trojans and droppers remain steadfast favourites of criminals, while the rise of ransomware (which rose from 1% of global malware in 2016 to 7% in 2017) indicates clear targeting of unaware users.
Companies have to take action on several levels:
● Ensure their suppliers follow standards.
● Liaise with suppliers to increase visibility and create active threat intelligence.
● Expect them to implement a comprehensive security strategy.
● Routinely vet suppliers’ security and cull companies that refuse to modernise.
● Assign leaders who can articulate the risks to both business and IT.
The obvious place to start is standards: suppliers that don’t meet the required standards of your sector should implement the necessary updates or be released. This is already a legal requirement in many industries, and in some cases, companies must routinely audit their suppliers for standards. For extra assurance, have the results vetted by an independent body to validate the findings.
Companies that sit in an organisation’s supply chain should be treated as an extension of your intelligence-sharing capabilities – encourage them to inform your organisation regarding any security developments. If a supplier thinks it’s being targeted, you should know. Likewise, if you become aware of potential attacks on suppliers, you must inform them. By establishing a healthy rapport regarding security, companies can often pre-empt adversaries and vastly reduce the impact of an attack.
Driving this change in culture is daunting, even more so than adjusting security inside an organisation. Suppliers are not simply proxies to your security: tempting as it is to dictate terms to them, that won’t establish the healthy back-and-forth communication required for effective threat intelligence. Also, don’t forget their core business is not necessarily your core business and their requirements will be different.
It may be necessary to cull certain suppliers and instead select companies that appreciate these dynamics. That’s not an easy choice to make, but if you have a supplier that’s complacent about security, they represent a threat to your business. A single successful breach could destroy years of cooperation and goodwill in the blink of an eye.
Who takes ownership?
Even though each supplier must have their own security strategy, someone needs to lead the charge and inspire change among your suppliers. But this isn’t just trickle-down change from the top. Every supplier has its own culture, silos, and IT systems. Whoever pioneers the change will have to stand alongside partners as they implement change on their side. These are not conversations that will be settled with KPIs and annual reviews. They are more sensitive and need large amounts of care.
If the strategy calls for a risk-based technological journey, ownership may sit with the CIO or CISO. Chief Risk Officers are also popular candidates for security-related issues. Yet the broader supply chain aspect may need input from other types of high-level influencers, such as the Chief Financial Officer, Chief Digital Officer, or even the CEO.
Regardless of who shoulders responsibility, they must possess the capability to articulate the challenges to both technology and business audiences. This isn’t just about security, but also the relationships that feed the business’ output, as well as the many individuals inside the business. And there should be one person or group explicitly in charge. A uniform security strategy, where all parts ─ people, processes and technology ─ move in harmony, is paramount.
