Managing cyber risk through integrated supply chains
High-profile supply chain cyber attacks have caused huge disruption this year. Carl Nightingale considers key questions business leaders should be asking of their organisations.
Today’s supply chains could be compared to the ancient silk road on the basis of the length of the chain, the multiple touchpoints and the variety of products. But where the silk road became the lifeblood of ancient civilisations for these reasons, the complexity of modern supply chains could be their very downfall, jeopardising functionality and, consequently, organisations’ reputations.
Today, fulfilment software, IT service providers and business process outsourcing (BPO) are just a few examples of supply chains that still rely on interconnected IT systems with varying degrees of access to various parts of the IT estate to process, share and store data.
The pandemic has also driven organisations to accelerate their digital plans and reach out to their customer-base in this new world to trade and remain competitive.
However, the subsequent heightened cyber risk is making this a tricky road to navigate, driving increased regulation, disruption, escalating fines and the high costs of resolving an issue internally – in one case touching $100m to contain and correct the data breach.
The weak link in your enterprise might lie with suppliers and partners
Recent well-versed examples within the manufacturing, financial services and transport sectors have been severely affected by security risks emanating from within their supply chains, causing huge material disruption. This is not isolated to a particular industry sector, but is a widespread issue that we need to address.
A supply chain attack occurs when someone infiltrates your system through an outside partner or supplier with access to your network, systems and – ultimately – data.
This has dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before, expanding and blurring the enterprise boundary. For organisations with thousands of critical suppliers, this becomes a very challenging task irrespective of the industry.
The layer-cake effect
The attack on SolarWinds made the industry sit back and rethink the approach to managing risk across not only their own IT landscape, but the suppliers and sub-suppliers who are connected to them. Regulators are trying to deal with this with refreshed legislation, but with growing public awareness and new types of attacks, it is more of a challenge than ever before.
According to a report by the New York Times, the SolarWinds attacks penetrated many more than a “few dozen” government and enterprise networks, as initially thought. As many as 250 organisations have been affected, and the attackers took advantage of multiple supply chain layers.
We must consider the full end-to-end ‘system’ and assess the risks that may affect operations, data and customers to minimise the very real, negative, and material impact it can have. The boundaries of information security risk management are fluid, driven by business needs, including geographical impact. ‘Who’s’ connecting to ‘what?’
A recent report, Data risk in the third-party ecosystem, compiled by The Ponemon Institute and commissioned by Opus, states that 60% of data breaches have emanated from within the supply chain, whereby weaknesses in their control landscape underpin their very own operations. Time to report breaches to the regulatory authorities is shorter, resulting in a cyber hack having a greater impact on eroding market valuation, brand reputation and consumer confidence.
So what can be done? There are some key questions, outlined below, that leaders should be asking of their organisations and their suppliers around how to obtain assurance over the adequacy of control measures in place.
Key questions include: Who has connectivity into our systems? Their systems are different, so how do we manage that? What is their security policy and is it adhered to? It looks like their network is down, so what does that mean for us? What local data protection legislation applies to them? Do we understand our regulatory obligations towards our customers? And do we understand the data flow between us and our suppliers?
First and foremost, you must understand what processes the supply chain partners conduct on your behalf. This means understanding applications, access means, data processed (data flow mapping – ‘knowing’ your data), physical locations (which could be under different local regulation and legislation); and not forgetting commercially what they are obliged to do to manage your system.
This will help to clarify where the boundary lies and what you need to assess and monitor.
Key questions include: Do we know what to look for? Where’s our data? Who has access? Who should have access? How do they access it? And do we have secure environments/methods/means to share files/data?
It is important to assess potential threat sources and inherent risks across the supply chain, leveraging industry good practice. Look closely at the attack paths that could be taken to undermine your operations. Supply chain/partner organisations should be obliged to manage the handling of your data in line with any agreed good practice standard.
We are looking to ascertain the people, process and technology view concerning risk, and to understand the materiality concerning any risk identified. Techniques such as business wargaming can help articulate those risks across a highly complex IT landscape.
Key questions include: How do we collaborate securely? What pragmatic solutions can we consider? How can we grow in this environment? What technologies can we leverage? How do we obtain a view of our stretching organisational boundary? How do we manage the processing and storing of our data across interconnected domains? How do we build trust and loyalty with our customers? And how do we mature our operational resilience?
To initiate activities to address areas of unacceptable levels of risk. These can be anything from commercial obligations between the supplier and yourself; building mutual understanding of the appetite for risk (like-minded values, beliefs, concerns, controls as you do) creating a joined-up approach to risk management; updating policy and process (including change and how that is tested and introduced into live production); to addressing technical holes (back doors in networks) across the ecosystem that could provide a way in for an attacker.
More broadly, setting the right culture to embrace the need to manage supply chain risks will also shift a mindset of moving beyond your own readiness to that of your third parties.
Key questions include: How can we leverage technology and drive efficiencies to manage cyber risk across a large, complex supply chain? How can we use this to demonstrate our ability to manage risk to the regulators and our customers? And how do we obtain a real-time view of risk across our entire system?
The final step is to embed the concept of ‘continuous monitoring’. This can be part of your broader enterprise governance risk and compliance processes to manage risk. To drive efficiencies into this, we now seek to leverage technology.
According to Gartner: “Continuous controls monitoring [CCM] is a set of technologies to reduce business losses through continuous monitoring and reducing the cost of audits through continuous auditing of the controls in financial and other transactional applications.”
Advancements in artificial intelligence (AI) are also helping to build-in prediction and give us the ability to better rationalise and take appropriate action concerning risk. Organisations can now adopt this technology as a business-wide solution to monitor key systems and data to protect business operations, revenue, reputation and profits from cyber and digital risk 24/7.
There are many tools available that allow you to monitor at a process and technical control level, including monitoring policies via collectors deployed near data sources on specific machines within your supplier’s estate that deliver real-time reporting to help identify potential risks to your daily operations.
This article has touched on well-versed examples highlighting the risk of data-related fines, reputational damage and market value impact, with the cost of implementing a continuous control monitoring approach being a relatively small investment in comparison.
It is crucial that suppliers to your operations buy into this extended view of risk management to help all parties involved protect the end customer and their data. This can simply be viewed as the overlapping of risk management processes between one company and another to make use of proactive cyber measures.
Increasing regulation in this space is forcing us to now address this. The adoption of advanced automation techniques as part of smart supply chains requires us to consider cyber risk in conjunction with developments in this space.
Thankfully, technology allows us to sharpen the once blurred boundary and provide assurance to management, stakeholders and customers that we can take reasonable steps to keep up with the pace of change and manage risk in a connected world.