Supply Chain Attacks on the Rise – Steps to take to stay in control
The meteoric rise of supply chain attacks over the past five years shows that organisations must focus on tightening the security of their subcontractors, suppliers and partners. An article by Harvard Business Review (HBR) suggests, “Over 60% of reported attacks on publicly traded U.S. firms in 2017 were launched through the IT systems of suppliers or other third parties such as contractors, up from less than one-quarter of attacks in 2010.”
The primary issue is that supplier contracts don’t usually include definitive statements on cyber security standards or controls the contractor should be accountable for meeting. As a result, you lose control of your data security as soon as third parties gain access to your infrastructure or data, posing a massive upstream threat as credential theft will lead to attackers gaining access to your systems.
Even if the contracting organisation adds several high-level statements of intent to contract, such as, “Acme Ltd. will ensure all <parent company’s> data remains confidential and protected from data breaches while in the care of Acme Ltd.” it is hard to prove whether they are compliant.
Supply Chain Attacks – The Importance of Audits and Reporting
Information security managers should work closely with their procurement teams to ensure contracts with third parties contain clauses that force attestation and can be tested through audits and reporting. If the contract says, “Acme Ltd. must be ISO 27001 (or similar) certified and provide annual audit reports of the security management system to <parent company> within two weeks of audit completion,” you now get a way to discuss security at contract reviews.
Statements of specific compliance against requirements might relate to their use of contemporary technical security controls, such as having an antivirus product on all desktops, laptops and servers, a Security Information and Event Management (SIEM) system for audit and monitoring, and a Security Operations Centre for alerting and incident response. You can then rest assured they take security seriously.
Add Cyber Insurance to Contract Inclusions
Cyber insurance has become popular over the past few years and modern cyber insurance products have matured enough to be worth evaluating. You should review your own cyber insurance policy to see if it covers breaches caused by suppliers, since insurers may not pay out if your data is breached on a third party’s system. The procurement team should also turn back to the contract and include a clause whereby suppliers have their own cyber insurance policy – the concept of liability is often covered in contracts, so ensure they are also liable for the protection of your data and will compensate you should a breach occur.
Request that suppliers allow your own SOC team to monitor their systems. This may not be tenable for a vendor, but if the subcontractor is embedded in your network, there is no reason why you cannot include this. Furthermore, you can say that every device connecting to your network must have your antivirus agent and monitoring agent installed on it. If you have some way of ensuring their systems are patched and protected with basic controls, this will also help keep your systems and data safe.
Limit Third Party Access to your Systems
You can reduce the level of access partners and suppliers have to your systems to a minimum. They almost certainly don’t need the same level of permissions your internal users or administrators need, likely only requiring access to one fileserver, intranet site or database. Limit their permissions to accessing just that one system and ensure you audit every action they take.
Furthermore, you can request all suppliers use penetration testing and vulnerability assessments to expose security deficiencies in connections to your infrastructure. Suppliers should welcome an expert penetration testing company testing their systems and should be happy to include this as an integral part of offering their service. If not, consider other vendors that would welcome such testing.
Help your Suppliers Do the Right Thing
If you use very small suppliers or product vendors, they may not be able to demonstrate enterprise levels of security resilience. Yet they may still have good security practices and technical controls, without necessarily even knowing how to put them in context of your contract. If they need assistance in understanding how to get started, have your security team meet them and seek pragmatic agreements of how they meet your objectives. Even if they are non-compliant today, if they are willing to put in the effort and go on a journey of security maturity with you, you can track their implementation and work with them on becoming more secure. This is a win-win for both organisations.
If ISO27001 is too onerous for your suppliers, especially smaller ones, select a different minimum standard they should adopt, such as the Australian Signals Directorate’s Essential Eight or the UK NCSC’S 10 Steps to Cyber Security. The Essential Eight contains a set of basic security controls that are easy to achieve (mostly). It represents a distillation of years of monitoring and analysing security breaches and covers the eight most useful controls an organisation can adopt. Controls include patching operating systems and patching applications, ensuring systems and data are backed up, having tighter control over Microsoft Office macro settings, application hardening (removing unnecessary features), restricting administrative privileges, and using multi-factor authentication. The only Essential Eight control that may cause problems is “Application Whitelisting,” especially if the organisation isn’t running Microsoft operating systems, since it can be expensive and troublesome for companies using alternative systems, such as Apple or Linux based computers.
Build Cyber Resilience through Supplier Management
Supplier management and procurement teams need to be empowered to embed security in your sourcing agreements. There is no reason why suppliers shouldn’t he held to the same level of account that you are for protecting your systems and data. Any supplier that doesn’t agree cyber security is important should not be used to deliver services or products – if they refuse an audit then quite possibly they have something to hide. Remember, it doesn’t matter how strong your window locks are and how fortified your door is, if the adjoining apartment is left unprotected and there is an internal swing door connecting to your living space, the burglars will still get into your apartment.