Today most organisations rely on a number of suppliers for providing services to their customers. Supply chain plays a key role within an organisation allowing them to innovate, create new products or services, increase their profitability and compete with other organisations. To be able to do so, organisations need to allow suppliers to connect to their systems/applications and also allow exchange of sensitive information with their suppliers and partners. Whilst the free sharing and exchange of information has efficiency benefits, it does make it difficult to secure data in the extended and connected enterprise.
- In August 2010, FSA hits Zurich Insurance with a £2.275m fine for data loss for not checking their controls over outsourced data processing. In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre. As there were no proper reporting lines in place Zurich UK did not learn of the incident until a year later.
- In December 2013, Target had a data breach that impacted 70 million customers. In this attack, attackers broke into the retailer’s network using network credentials stolen from their third-party supplier that provided refrigeration and HVAC systems.
- In November 2014, Home Depot had a data breach where hackers stole 56 million customer credit and debit card accounts and 53 million customer email addresses. Home Depot said the hackers initially broke in using credentials stolen from a third-party vendor. The attackers used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network.
- In the fall of 2015, Wendy’s fast food restaurants had an incident that disclosed and exposed customer credit card data. The malware installed in point-of-sale systems was discovered at over 1,000 of its franchised U.S. restaurants. Hackers gained access to the machines using remote access credentials of a third-party service provider.
- In July 2017, a reported 14 million Verizon subscribers may have been affected by a data breach. These records were held on a server that was controlled by Israel based Nice Systems. Nice Systems is not a small company. Instead, they are an extremely well-known and trusted company that 85 of the Fortune 100 work with. Verizon said that it “provided the vendor” with data as part of an ongoing project. The spokesperson said that the employee of Nice incorrectly allowed external access.
Attackers have become smarter and they are choosing the path of least resistance to break into an organisation. The above mentioned incidents highlight a key point that organisation suffered the data loss not because of an attack or failure of control on their side, but the supplier side. The real target for the RSA breach was not RSA but it was their customer(s). Big organisations are more likely to have security breaches due to higher probability of a weak link in their complex supply chain ecosystem.
How have regulators and organisations responded?
Regulators responded to this issue by putting in place requirements for organisations to have an assurance process for managing supplier security risks. A number of organisations responded to this regulatory requirement by putting in place a “Supplier Security Assurance Framework” that includes a supplier security policy and supplier security due-diligence process for managing supplier security risks.
In 2014, UK government published a Cyber Essentials Scheme to reduce the levels of cyber security risk in its supply chain. The scheme defines a set of controls which, when properly implemented, provide organisations with basic protection from the most prevalent forms of threat coming from the internet.
Supplier Security Assurance Framework has been a good step forward but it’s not enough. The overall intent of this framework is good but it’s the implementation that has gone wrong in many cases, which has resulted in an ineffective operational ‘tick in the box’ and an inefficient and labour intensive process which is not fit in most cases for managing supplier security risks. Ask any supplier that does business with financial service organisations, they will tell you their painful experiences.
Most supplier organisations receive similar supplier security policy documents from all customer organisations, similar Excel-based questionnaires, a report based on their responses to Excel questionnaires and finally requests to provide remediation report. Many suppliers have now got a cheat sheet text book approach for responding to these questionnaires. It’s not because they have any malicious intention or they do not want to participate but they do not have enough man power to meet requests coming from different organisations, and they don’t see much value in the process. The process may satisfy compliance requirements for conducting supplier security assurance reviews, but it does not help in highlighting real risks based on the type of supplier relationship and services provided by the supplier.
Let’s take the example of the Target breach and its third-party supplier, Fazio Mechanical, a refrigeration contractor. The attackers hacked their way into Target’s corporate network by compromising Fazio Mechanical. A phishing email duped at least one Fazio employee, allowing Citadel, a variant of the Zeus banking Trojan, to be installed on Fazio computers. With Citadel in place, the attackers waited until the malware offered what they were looking for — Fazio Mechanical’s login credentials. At the time of the breach, all major versions of enterprise anti-malware detected the Citadel malware. Unsubstantiated sources mentioned Fazio used the free version of Malwarebytes anti-malware.
If Target had conducted a supplier security assurance review for Fazio Mechanical, it would record that Fazio Mechanical did have Anti-Virus and Anti-Malware protection in place, they do educate their employees on security basics via annual CBT courses or regular email newsletters. Does this mean Target would have predicted Fazio Mechanical not having effective controls in place and done something about it? The answer is No.
Knowing your suppliers and protecting what matters most
The most important pre-requisite for managing supplier cyber security risks effectively is a good quality supplier inventory. This includes understanding inherent risks associated with the supplier relationship. For example, does the supplier have access to the organisation’s network? Does the supplier have access to data off-premises? How will the organisation share data with the supplier? What data is processed by the supplier? There are many organisations that still do not have a good quality supplier list, including copies of the contract signed with the supplier.
While there are suppliers engaged via vendor management process, there are other supplier relationships that are engaged directly by the lines of business for their immediate requirements e.g. data processing, customer marketing campaigns, customer data mining etc. There are number of cloud based services (for example, AWS and Salesforce) that can be bought by a line of business with a corporate credit card. One place that all organisations should look to build a holistic picture of their supplier relationships is their corporate credit card statements.
The complexity, difficulty and effort required to understand the supplier landscape is directly proportional to the size, geographical footprint and nature of the business of the organisation. The bigger the organisation, the more complex and difficult this exercise is going to be. Unfortunately, there is no shortcut for building a better understanding of supplier relationships. It is impractical to follow a “big bang” approach for conducting supplier security assurance reviews as it's going to be expensive, ineffective and unsustainable. Organisations need to follow a risk-based approach and focus on their crown jewels and critical suppliers that pose highest level of risk. And organisations need to assign their best security experts to perform these assurance reviews to ensure quality and effectiveness of these reviews. Organisations need to go through this detailed process of understanding their supplier relationships and risks associated with these relationships and assign their quality security consultants to perform risk assessments of high risk suppliers.
When it happens?
No matter how much effort an organisation spends on a supplier assurance program, there is no guarantee that a security breach won’t happen. As Murphy’s Law states, “Anything that can go wrong will go wrong“. In the real world, things do go wrong; it’s just a matter of when.
But when things do go wrong, organisations need to respond effectively, and that’s when having a well-defined plan comes to the rescue. Organizations need to have a well-defined Security Incident Management Plan and suppliers need to play a key role in that plan for managing security incidents effectively.
Supply chain plays a key role within organisations allowing them to innovate, create new products or services, increase their profitability and compete with other organisations. While it’s essential for organisations to allow suppliers to connect to their systems/applications and exchange sensitive information with their suppliers and partners, it is equally important to manage cyber security risks associated with the supply chain.
Compliance and security go hand in hand. But they are not one and the same thing. Being compliant does not necessarily mean being secure. The focus needs to shift to improving overall security posture working closely with the supply chain and not just a “tick in the box” compliance exercise for conducting supplier security assurance reviews.
Securing the supply chain is as important as securing the front door and it starts with engaging your business and its suppliers.