Originally published in August 2016, this article has been fully updated in November 2020 to reflect changes in Supply Chain Cyber Security. We cover the growing importance of a resilient supply chain and more rigorous application of the UK Cyber Security Model (CSM) and the US Cybersecurity Maturity Model Certificate (CMMC).
It’s an everyday story but it could happen in your business – right under your nose and far more easily than you could have imagined. Who’d have thought that a Small Medium Enterprise would cost millions in lost revenue, cause significant reputational damage and nearly bring your business to its knees? But that’s what a weak link in your supply chain cyber security can do.
Picture the scene – Brian parks in the street around the corner from work and walks down the side of his company building. The back door, propped half open by the fire extinguisher, makes entry a breeze. He takes off his balaclava and walks down the corridor to the server room. Brian provides IT support to this and other local companies and, as the IT system administrator, he has the keys to the server room door
In a matter of seconds, he attaches the flash drive to the database server to download a backup of the product design that he knows the company has been working on. He pockets the drive and then leaves – as easily and as undetected as he’d entered. The man in the pub had promised him a monkey for the design information. He’s not sure what he will do with a medium-sized primate, but reckons he’ll just sell it to a zoo and get some cash instead.
What does it all mean?
In simple terms, supply chain security (without the cyber bit) means ensuring that the critical components used to develop and deliver goods and services to customers are available when they need to be and are of the right quality. To do this, it needs to be resilient, and to be resilient it needs to be resistant to disruption and capable of returning to functionality once a disruption has taken place.
Supply chain cyber security is very similar – it is about ensuring that an organisation’s critical information and business systems are not compromised or disrupted by any third-party suppliers. It’s a topic of increasing and serious concern for both commercial companies and government organisations. They need protection from people like Brian as well as much more sophisticated attackers. And this is on top of other concerns, such as the stupidity and ignorance of staff in supply chain companies, as well as just bad luck.
A resilient supply chain is becoming more of a requirement, especially across defence, and a greater onus is being placed upon suppliers – ability to withstand and recover from incidents. As a way of reinforcing this aspect of doing business with Defence and Government, mechanisms such as the UK Cyber Security Model (CSM) and the US Cybersecurity Maturity Model Certificate (CMMC) are being applied more rigorously.
Organisations, particularly large ones, have always relied on suppliers for critical services to some extent, often for functions involving sensitive information such as finance, HR and legal. Typically, only limited consideration has been given to how this information has been protected. The cyber security aspects of supply chain management have been sidelined for some time for a number of reasons:
- The extent of outsourcing of support functions has been relatively constrained
- Cyber security threats from the supply chain have either not been realised to a significant extent or, more likely, have not been understood
- Organisations have been busy focusing on internet-based threats to their business instead
- Lack of awareness of the threat human beings present in a cyber context
What has changed?
Over the past 10-15 years, the way that business is conducted (and the cyber threats it faces) has moved on considerably:
- Many more organisations are outsourcing more key functions (such as IT support) to reduce costs
- Significant impacts from supply chain cyber security compromise continue to be reported for international and national organisations, with many continuing to be compromised through known approaches such as Energetic Bear, Crouching Yeti – and other hacking tools
- There continues to be a growing appreciation that the supply chain is often the weakest cybersecurity link
- Awareness of the Insider Threat is becoming more evident
In an ever-connected world, collaboration is an increasingly popular approach to delivering services and solutions to customers. Organisations want to reduce costs, so it makes sense to outsource services to specialists that can offer economies of scale (such as cloud providers) or expertise too expensive to maintain in-house (such as legal support or HR services).
One of the consequences of this approach is that the organisation’s information and, critically, often that of its customers, is now potentially exposed to a wider group of people and with that, the risk of disruption increases. With responsibility for information security remaining with the originating organisation, it now has to consider – does the umbrella of protection extend to the outsourcing providers?
Government organisations have had a requirement to consider the cyber security consequences of outsourcing under information security policy since 2008 (Security Policy Framework). The current version of this policy requires that government organisations will have “arrangements to determine and satisfy themselves that Delivery Partners, service providers and third-party suppliers, apply proper security controls”. Government organisations are assessed annually on their compliance with central security policy and therefore have to take action to meet this requirement. National security incidents in recent years (such as Wannacry) have increased the focus and importance on these actions taking place.
Managing supply chain cyber risk
Over the past two to three years there has been considerable effort in government organisations to understand, and then to manage, supply chain cyber risk.
The Cyber Essentials Scheme was introduced and has been mandated for all defence and some government contracts since October 2014. The Cyber Security Model has been implemented across the UK defence industry. This requires members of the defence supply chain to demonstrate to the MOD that their cyber security is mature enough to meet the requirements directed by an assigned Risk Profile.
Outside of government (but very relevant to public sector procurement), IA Inside from Ascentor has been developed to help buyers and suppliers make cyber security holistic, integrated and effective throughout the project lifecycle.
The General Data Protection Regulation (GDPR) introduced 7 key principles; Lawfulness, Fairness and Transparency, Purpose Limitation, Data Minimisation, Accuracy, Storage Limitation, Integrity and Confidentiality (Security), Accountability. These principles are broadly similar to those of the Data Protection Act 1998, requiring that personal information is protected at all times with responsibility lying with the data owner, regardless of who else is given access to the information. Other industry regulations, and increasingly contractual conditions, require that information is protected at all times.
What does this mean for your organisation?
If you outsource services to external providers, you need to have an understanding of who has what aspect of your information and then determine how much it matters. You should do this because not protecting your critical information leaves your business exposed to regulatory, legislative fines or to theft, loss or corruption of the data by cyber attackers. You will probably need to do this as well, because of legal, regulatory or commercial contractual requirements.
If you are a supply chain company, you need to demonstrate to clients that you are a “safe pair of hands” and that customers should choose your services over your competitors because you offer a solution that appropriately covers their information security requirements. Increasingly, as we have been seeing, more companies will be obliged to do this because customers will make it a contractual condition of doing business. The CMMC is a good example of this, where the US DoD are insisting their suppliers comply or they do not provide services! Do you jump or wait to be pushed?
Part 2 of the series
Compromising your cyber security shouldn’t be this easy for Brian. That’s why, in Part 2 of this exploration of supply chain cyber security, we look at what organisations can do to improve their management of this important issue. Read part 2 here.