by Ian Heritage
Modern organisations are increasingly dependent on their supply chains to meet key business goals. But as partner ecosystems have grown and become more complex, so has cyber risk. Unfortunately, UK firms are still flying blind when it comes to managing this risk. A new Accenture report out this week claims that as many as 70% may be vulnerable to attack because they don’t have enough insight into suppliers.
It’s time organisations treated supply chain security as an urgent priority. That means vetting, auditing and continuously monitoring third parties according to the same high standards as your own company.
Trust is not enough
According to the latest findings from the global consultancy, just 29% of business and IT executives at UK firms know how secure their suppliers are. Even more worryingly, over half (56%) claim to rely on trust alone to manage relationships. This is clearly unsustainable given the size of modern supply chains. A report from last year revealed that the average UK or US firm shares sensitive data with around 583 organisations. The majority (60%) claimed to have suffered a breach because of their relationship with one of these firms, and even more (75%) said they thought such incidents were increasing.
The truth is that hackers are regularly probing supply chain partnerships. Typically, they’re either looking for ways to compromise large numbers of client organisations, as witnessed by the Operation Cloud Hopper attacks on MSPs, or to find easier routes into a specific target organisation, as we saw with the infamous breaches of retailer Target and the US Office of Personnel Management (OPM).
There are multiple ways of doing so. The National Cyber Security Centre (NCSC) has some good background on the main types of supply chain attack, which could include: trojanising third-party software, as per the NotPetya campaign; watering hole attacks compromising supplier websites; and attacks on third-party cloud providers. The recent spate of Magecart attacks has also shown us the dangers of allowing unvetted third-party code on an organisation’s website.
Visibility and control
It’s clear that blind faith is not sufficient to manage third-party security risk. Yet too often organisations are failing to gain the kind of insight into their suppliers that is a crucial pre-requisite for improved risk management. More than a fifth (22%) of respondents to the 2018 Opus study claimed they didn’t even know if they had suffered a third-party breach, while just a third (37%) said they have enough resources to manage supplier relationships.
Funding and board-level buy-in is just the first step. Next must come:
- A full audit of the supply chain. Start by classifying data, mapping data flows and understanding what controls are in place to protect it
- Mandate best practice security controls for supplier organisations — defence-in-depth across all layers including endpoint, network, hybrid cloud servers and web/email gateways
- Ensure suppliers have in place adequate security processes, including employee training and awareness programmes, data handling and more
- Draw up new contracts to formalise security measures, especially in light of new legislation like GDPR and the NIS Directive
- Institute regular audits of supply chain security controls and processes
Failure to address the supply chain risk could be a costly mistake. Data breaches and IT outages could hit the bottom line and corporate reputation hard. Accenture claims indirect attacks like this could account for almost a quarter of the total value at risk from cybercrime over the next five years. Cybersecurity bosses must step in now to ensure things don’t get that bad.