Supply chain security isn’t an SEP

Dave Sirignano returns with his topical blog on all things cyber.

Supply chain security. Why is this important?

Well, let’s be honest, how many organisations proactively look at information security in the supply chain during procurement and beyond? I know from experience only a few think about it and, of those, even fewer have thought about it properly. How else can we explain the ridiculous number of security breaches directly attributed to third parties? Don’t believe me? Let’s have a quick reminder…

The US firm Target suffered a massive data breach in 2013, impacting some 40 million customers whose debit and credit card accounts were hacked. The retailer paid dearly. Settling with several US banks cost $39 million (£30m).

Closer to home, Debenhams recently suffered a data breach where attackers apparently accessed personal data, including customers’ names, addresses and financial information. It has been reported that a malware-enabled cyber-attack on Ecomnova, a third-party e-commerce company behind the Debenhams Flowers website, was to blame.

Sadly, the list of data breach victims could go on and on.

Let’s get back to the fundamentals to see why supply chain security is such an issue.

Firstly, security is often seen as a business blocker and not an enabler. Why does this apply to the supply chain? It’s difficult for most organisations to understand their own security environment - and understanding supply chains is complex enough without the added security perspective. All too often security is an afterthought that isn’t built into business objectives.

Secondly, to borrow a term from Douglas Adams’ much-loved The Hitchhiker’s Guide to the Galaxy, it’s seen as Somebody Else’s Problem (SEP). After all, we human beings are naturally predisposed to miss things we don’t want to see, weren’t expecting, or can’t explain. Since understanding a third party’s security approach often involves a combination of all three, hey presto, it’s neglected.

I can hear the excuses already: “Hang on a minute, we cover this contractually.”

And my response?: “Aha, yes you may, but the costs factored into a contract are often greatly outweighed by the cost of a breach.”

Sorry to disappoint: there is no silver bullet. So what can you do to get chain security right? Begin by adopting a phased approach: it’s important to understand the business requirements for security. But what does this mean?

Think about all the regulatory and legal obligations your organisation or enterprise has to fulfil. There’s the Data Protection Act, soon to be General Data Protection Regulation (GDPR), PCI DSS for those who store and/or process cardholder data, ISO 27001 requirements for those who require it and so forth. Think about what your supplier should demonstrate to meet your regulatory requirements.

On an even more fundamental level, has your organisation conducted a threat assessment? What threats are you likely to face in the near future? If you are a large soup manufacturer, chances are you won’t face a breach from other nation states. If, however, you are in finance or utilities then maybe you should take those threat actors a bit more seriously.

So you know you need to incorporate security into your procurement plans, and you have conducted some threat modelling and risk assessments. But how do you articulate your high level requirements into tangible procurement requirements suitable for contracts and tender documents?

The good news is you have plenty of options. For example, you can choose to stipulate security certifications that cover the scope of service such as ISO 27001, or you could include a requirement for audit/due diligence post contract, or you could flow down granular controls you want suppliers to implement. But remember: the more onerous your requirements, the more you can be charged by your supplier. It pays to conduct a cost/benefit analysis.

Once you have thought about your requirements, articulated them and signed your contract, what next? How do you manage your supplier throughout the duration of the contract - which might be for several years - and ensure security controls and requirements remain tight? After all, just because conditions were set when the contract was negotiated doesn’t mean you shouldn’t monitor your supplier. In large organisations, this can be easily addressed by the supplier manager along with regular due diligence checks. However, it can be a little trickier for those who don’t have a dedicated supplier management process.

Here’s my top tip: be careful not to expand the scope of service without ensuring your previous security requirements have carried over.

The principles discussed also apply to cloud migration. Just because it’s someone else’s computer doesn’t mean it transfers your responsibility. I will look at cloud migration as a separate supply chain topic, as it covers some niche considerations.

Look out for more posts on how to build your supply chain security strategy coming soon. Whatever you do, integrate security into your business today. Stay safe!

Dave – The Security Guy #VirginSecure #Cybersecurity #VMB