Why it’s Time to Wake Up to Supply Chain Risk
In opinon / By Phil Muncaster / 09 July 2018
Do you know how many partners, suppliers and contractors your organisation does business with? Do you know how much privileged access to data and systems behind the corporate firewall these companies and their employees have? If not, your organisation might be more exposed than you think to the risk of a crippling cyber-security incident. According to stats cited by the SANS Institute, up to 80% of breaches may originate in the supply chain.
Recent breaches and security incidents at several service providers have shone an uncomfortable light on the issue. In the new era of GDPR and the NIS Directive, organisations must lock down risk in their supply chain, or fear the wrath of the regulator.
One breach, many victims
Our modern digital world is built on the supply chain: a complex network of interdependent companies powered by high-speed online data exchange. It’s an often automated, seamless and invisible exchange of goods and services, which can create security gaps and cyber risk.
Over the past couple of weeks we’ve seen exactly how these inter-dependencies can come back to bite. PageUp, an Australian recruitment platform with international customers, was breached last month. Personal data including names, email and physical addresses, telephone numbers, gender, dates of birth and employment details were stolen – certainly enough for fraudsters to craft pretty convincing follow-on phishing attacks and identity fraud attempts. It soon emerged that brands as wide-ranging as Telstra, Aldi, Lindt and the UK’s Costa Coffee and Premier Inn had been affected as a result. One breach, multiple corporate victims.
In a similar way, online survey provider Typeform recently admitted to a breach. Details are still emerging, but once again clients affected include a broad sweep of companies: Travelodge, Fortnum & Mason and the Liberal Democrats.
While these incidents involved hackers directly breaching a supplier’s systems, sometimes the supply chain risk comes from coding errors by a development partner. Ticketmaster revealed a breach affecting 5% of its global customer base which occurred after hackers exploited a piece of code written by third-party developer Inbenta Technologies. And the NHS was left red-faced after a mistake by developer TPP meant that patient preferences regarding use of their personal data weren’t recorded, leading to a privacy scandal affecting 150,000.
Supply chain pain
Supply chain attacks are even harder to stop when they’re more targeted. Some of the biggest and most damaging breaches ever recorded came via the supply chain. US retailer Target, which spilled 40m card details and 70m customer records, was hit after hackers compromised an HVAC supplier which had network access. The devastating loss of highly sensitive data on over 22m federal employees and their families, including security clearance information on military personnel, was made possible after hackers targeted contractors working at the Office of Personnel Management. In both cases the lack of multi-factor authentication made it almost too easy for the attackers.
Unfortunately, it’s not easy stopping a determined attacker. In fact, a recent National Cyber Security Centre report warned: “When done well, supply chain compromises are extremely difficult (and sometimes impossible) to detect.” That’s certainly true of the NotPetya attacks which began after Russian hackers compromised popular Ukrainian accounting software used by many government departments. The impact of that supply chain attack globally was catastrophic, costing many big-name firms hundreds of millions.
The problem of supply chain risk is best articulated by the NCSC:
“It is clear that even if an organisation has excellent cybersecurity, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain. Attackers will target the most vulnerable part of a supply chain to reach their intended victim.”
A new era
So how can organisations plot a way forward to a more secure supply chain? New regulations the GDPR and NIS Directive are both pretty clear that they must do so. The former places responsibility for breaches on both data processor and supplier, ensuring that firms cannot simply blame the outsourcer for an incident. Meanwhile, the latter has the following:
“Regardless of your outsourcing model the OES [operator of essential services] remains responsible for the security of the service and therefore all requirements from NIS flow down.”
The good news for CNI operators covered by the NIS Directive is that the NCSC has some advice here. The GCHQ body claims that organisations should mitigate supply chain risk by:
- Understanding the risk
- Establishing control
- Checking your arrangements
- Continuous improvement
This would also be a good place to start for organisations looking to comply with the GDPR. It’s all about understanding where your data is flowing, who is using it, and what security controls are in place in your supplier organisations. Contracts must be revisited and updated to document this and ensure that baseline security you’re happy with is in place. It goes without saying that regular audits will be needed going forward. Best practice frameworks like ISO 27001 can help here in providing assurance.Unfortunately supply chain risk is the price we pay for our global digital world. Organisations may historically have taken for granted the seamless connectivity of the supply chain. Now it’s time to give a bit back.