Today most organisations rely on number of suppliers for providing services to their customers. Supply chain plays a key role within an organisation allowing them to innovate, create new products or services, increase their profitability and compete with other organisations. To be able to do so, organisations need to allow suppliers to connect to their systems/applications and also allow exchange of sensitive information with their suppliers and partners. Whilst the free sharing and exchange of information has efficiency benefits, it does make it difficult to secure data in the extended and connected enterprise.
There have been many incidents over last few years from 2008 to as recent as July 2017 involving data breach due to failure of controls at the supplier side highlighting cyber security risks associated with the supply chain:
- In August 2008, there was news published on BBC about Bank customer data sold on eBay. This breach involved a machine sold on eBay that contained information on several million bank customers due to control failure at a third-party supplier of the Bank.
- In August 2010, FSA hits Zurich Insurance with £2.275m fine for data loss for not checking their controls over outsourced data processing. In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre. As there were no proper reporting lines in place Zurich UK did not learn of the incident until a year later.
- In December 2013, Target had a data breach involving data theft affecting 70 million customers. In this attack, attackers broke into the retailer’s network using network credentials stolen from their third-party supplier that provided refrigeration and HVAC systems.
- In November 2014, Home Depot had a data breach where hackers stole 56 million customer credit and debit card accounts and 53 million customer email addresses. Home Depot said the hackers initially broke in using credentials stolen from a third-party vendor. The attackers used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network.
- In the fall of 2015, Wendy’s fast food restaurants had an incident that disclosed and exposed customer credit card data. The malware installed in point-of-sale systems was discovered at over 1,000 of its franchised U.S. restaurants. Hackers gained access to the machines using remote access credentials of a third-party service provider.
- In a recent incident in July 2017, a reported 14 million Verizon subscribers may have been affected by a data breach. These records were held on a server that was controlled by Israel based Nice Systems. Nice Systems is not a small company. Instead, they are an extremely well-known and trusted company that 85 of the Fortune 100 work with. Verizon said that it “provided the vendor” with data as part of an ongoing project. The spokesperson said that the employee of the vendor, in this case, Nice, incorrectly allowed external access.
Attackers have become smarter and they are choosing the path of least resistance to break in to an organisation. The above mentioned incidents highlight a key point that organisation suffered the data loss not because of an attack or failure of control on their side, but the supplier side. The real target for the RSA breach was not RSA but it was their customer(s). Big organisations are more likely to have security breaches due to higher probability of a weak link in their complex supply chain ecosystem.
How regulators and organisations responded?
Regulators responded to this issue by putting in place requirements for organisations to have an assurance process for managing supplier security risks. Number of organisations responded to this regulatory requirement by putting in place a “Supplier Security Assurance Framework” that includes a supplier security policy and supplier security due-diligence process for managing supplier security risks.
In 2014, UK government published a Cyber Essentials Scheme to reduce the levels of cyber security risk in its supply chain through the Cyber Essentials scheme. The scheme defines a set of controls which, when properly implemented, will provide organisations with basic protection from the most prevalent forms of threat coming from the internet.
Supplier Security Assurance Framework has been a good step forward but it’s not enough. The overall intent of this framework is good but it’s the implementation that has gone wrong in many cases. This approach has resulted in an ineffective operational ‘tick in the box’, inefficient and labour intensive process which is not fit for purpose in most cases for managing supplier security risks. Ask any supplier that does business with financial service organisations, they will tell you their painful experiences. They receive similar supplier security policy document from all customer organisations, similar excel based questionnaire, a report based on their response to excel questionnaire and finally request to provide remediation report. Many suppliers have now got a cheat sheet text book approach for responding to these questionnaires. It’s not because they have any malicious intentions or they do not want to participate. The issue is that they do not have enough man power to meet similar requests coming from different organisations and they don’t see much value in this process. Such process may satisfy compliance requirement for conducting supplier security assurance reviews but it does not help in highlighting real risks based on the type of supplier relationship and services provided by the supplier.
Let’s take the example of Target breach and its third-party supplier Fazio Mechanical, a refrigeration contractor. The attackers hacked their way into Target’s corporate network by compromising Fazio Mechanical. A phishing email duped at least one Fazio employee, allowing Citadel, a variant of the Zeus banking Trojan, to be installed on Fazio computers. With Citadel in place, the attackers waited until the malware offered what they were looking for — Fazio Mechanical’s login credentials. At the time of the breach, all major versions of enterprise anti-malware detected the Citadel malware. Unsubstantiated sources mentioned Fazio used the free version of Malwarebytes anti-malware.
If Target had conducted a supplier security assurance review for Fazio Mechanical, it would record that Fazio Mechanical did have Anti-Virus and Anti-Malware protection in place, they do educate their employees on security basics via annual CBT courses or regular email newsletters. Does this mean Target would have predicted Fazio Mechanical not having effective controls in place and done something about it? The answer is No.
Knowing your suppliers and protecting what matters most
The most important pre-requisite for managing supplier cyber security risks effectively is a good quality supplier inventory that includes all required attributes for understanding inherent risks associated with the supplier relationship. For example, does supplier has access to the organisation’s network? Does supplier have access to organisation data off-premises? How do organisations share data with the supplier? What data is processed by the supplier? There are many organisations that still do not have a good quality supplier list including copies of the contract signed with the supplier.
While there are suppliers that are engaged via vendor management process, there are other supplier relationships that are engaged directly by business for their immediate requirements e.g. data processing, customer marketing campaign, customer data mining etc. There are number of cloud based services (for example, AWS and Salesforce) that can be bought simply by the corporate credit card. One place that all organisations could look to build a holistic picture of their supplier relationships is their corporate credit card statements.
The complexity, difficulty and effort required for understanding the supplier landscape is directly proportional to the size, geographical footprint and nature of the business of the organisation. Bigger the organisation, more complex and difficult exercise this is going to be. Unfortunately, there is no shortcut for building a better understanding of supplier relationships. Organisations need to go through this detailed process and assign their quality consultants to understand supplier relationships and risks associated with these relationships.
It’s not practical to follow a big bang approach for conducting supplier security assurance reviews as its going to be expensive, ineffective and unsustainable. Organisations need to follow a risk based approach and focus on their crown jewels and critical suppliers that pose highest level of risk. And organisations need to assign their best experts to perform these reviews to ensure quality and effectiveness of these reviews.
When it happens?
No matter how much effort an organisation spend in supplier assurance program, there is no guarantee that security breach won’t happen and nothing will go wrong. As Murphy’s Law states, “Anything that can go wrong will go wrong“. In real world, things do go wrong, it’s just a matter of time, when?
But when things do go wrong, organisation needs to respond effectively and that’s when having a well-defined plan comes to our rescue. Organizations need to have a well-defined Security Incident Management Plan and suppliers need to play a key role in that plan for managing security incidents effectively if it ever happens.
Supply chain plays a key role within an organisation allowing them to innovate, create new products or services, increase their profitability and compete with other organisations. While it’s essential for organisations to allow suppliers to connect to their systems/applications and also allow exchange of sensitive information with their suppliers and partners, it is equally important to manage cyber security risks associated with the supply chain.
Compliance and Security go hand in hand. But they are not one and the same thing. Being compliant does not necessarily mean being secure. The focus needs to shift on improving overall security posture working closely with the supply chain and not just “tick in the box” compliance exercise for conducting supplier security assurance reviews.
Securing the supply chain is as important as securing the front door and it starts with engaging business and suppliers
- Communication and Education is the key. It’s important to engage business community and suppliers using innovative and simple methods to get them on board for managing risks associated with the supply chain but not by just writing a policy document.
- Keep it simple for business to engage. If business thinks that we are going to slow them down and they do not understand and appreciate the value supplier security assurance frameworks offers them, business will not engage and find ways to bypass process.
- Ensure the security clauses and requirements are embedded into the legal contract
- Be prepared for the worst. Organizations need to have a well-defined Security Incident Management Plan and suppliers need to play a key role in that plan for managing security incidents effectively if it ever happens.
- Don’t stop, it’s an ongoing process. The journey does not end on conducting supplier security assurance reviews because supplier relationships go through many phases and relationship can change over time increasing the level of the risk. It’s an ongoing and an iterative process.