The Ascertus Security Thought Leadership Series
Supply Chain Risk Comes from Software and Physical Service Providers
Supplier risk is a growing concern today and organisations need to look at third party risk more comprehensively. Regardless of in which organisation the breach occurs, the reputational damage is borne by the firm that holds the data. Ticket Master is a case in point. The breach was caused by malware that infected a customer support system managed by Ticketmaster’s partner Inbenta Technologies, on the company’s behalf.
The ramifications of breaches for law firms are potentially much greater – there’s the reputational damage and the loss of intellectual property and confidential information (e.g. M&A data), impacting the business well into the long term. I recollect an instance in the US where a company was acquired for significantly less than it had been valued for initially because it had suffered a data breach – a case of collateral damage!
Here are some tips for organisations to consider in order to protect against supply chain risk:
Include security benchmarks within SLA
Establish policy in terms of what the security benchmarks for security are and agree those with your suppliers upfront, at the point of formally entering into a contract. Ask suppliers to share their internal policies and procedures on how they maintain security, what they would do in the event of a breach, what their business continuity plans are and how they will rectify their processes to pre-empt such an event for the future.
Thereafter, it’s crucial to review those security benchmarks on a regular basis – given how quickly the landscape is evolving security, a benchmark that may have been appropriate six months ago may no longer be enough in its remit a few months later.
Similarly, a supplier who is committed to the National Cyber Security Centre’s Cyber Essentials programme, should instil confidence. This government backed scheme encourages a thorough and comprehensive approach to cyber security.
Involve IT to ensure those benchmarks are appropriate
Often contracts for products and services are secured by business unit heads and without the involvement from IT. However, involving IT, is sensible especially as they can ensure that the security benchmarks in suppliers’ SLAs are in accordance with the overall security policies of the organisation.
A good example is printers, which are extensively used in law firms. These devices are connected to networks, potentially giving the supplier full access to both the office complex and confidential information. Their routine maintenance of these devices involves undertaking tasks at the office site. New devices may be added to the printer and therefore organisation’s IT network. Hence, IT needs to know and monitor things like software patching, default password refreshes etc. and ensure these are done in a timely and best practice fashion. This is important as printers today have hard drives and confidential information being printed might be accessible to rogue employees in supplier organisations
Exercise a third-party breach response plan
This is seldom undertaken, but organisations should exercise their suppliers’ incident response plans to ensure that they are able to not only deliver against the security benchmarks in the SLAs, but also to identify areas that need reviewing on account of the changing cyber security landscape. For instance, if a supplier is unable to provide a product or service for three days running, what are the implications for the business – and more importantly what is the fall back that the organisation should put in place to minimise impact. This will ensure business continuity in the unfortunate event of an actual security breach.
Don’t ignore physical security
Supply chain risk has come to be known as risk emanating primarily from software and technology vendors, but the reality is that any supplier – e.g. cleaners, handymen, utility providers, etc. – could pose a threat.
Increasingly, criminal gangs are infiltrating organisations physically by gaining entry to offices and buildings to then access the digital assets. Organisations must ensure that their suppliers are undertaking safeguards via stringent vetting processes. These should be part of the security benchmarks in the SLAs, as described above.
If every organisation undertakes exhaustive and intensive measures to mitigate their own supplier risk, cumulatively, it will have a positive impact on the entire supply chain.
About Shelton Newsham
Shelton Newsham is a manager and cyber security advisor at the Yorkshire and Humber Regional Cyber Crime Team, advising public and private sector and individuals (including at Board level) on threat mitigation. He is a Certified ISO 27001 ISMS Lead Implementer, ISMS 27001 Lead Auditor, Certified in information Security Management Principles (CISMP), ISO 22301 BCMS Lead implementer and Certificate of the Business continuity institute (CBCI). With over 17 Years’ experience in law enforcement, Shelton has extensive experience in incident response, critical incident management, intelligence assessments, threats to life, incident investigation, safeguarding the vulnerable, public order, and large-scale operations, working at a strategic level.