Supply chain an important part of information security, say experts

Business is increasingly recognising the importance of information security, but security within supply chains is still widely overlooked

Business is increasingly recognising the importance of information security, but information security within supply chains is still widely overlooked, say security experts.

That is despite a growing list of cyber breaches that involve the exploitation of security weaknesses in suppliers of the intended target of attackers.

“Information is an important part of any supply chain – it is what glues it all together and makes it work,” said Adrian Davis, European managing director of (ISC)2.

“However, this information often includes intellectual property and other proprietary information that needs to be protected,” he told the Storm Guidance Supply Chain Cyber Assurance Seminar in London.

Sarb Sembhi, director at Storm Guidance, said the risk to information security posed by suppliers could not be denied or underestimated.

Supplier weaknesses have been responsible for several high-profile breaches in recent years, including malware-laced phishing emails sent to an air-conditioning supplier to US retailer Target in 2013 and contractor PA Consulting losing the details of 84,000 prisoners on an unencrypted memory stick in 2008.

Sembhi also highlighted the fact that the theft of credit and debit card data at 330 stores owned by Goodwill Industries International across 19 US states between February 2013 and August 2014 was linked to malware on the IT systems of a third-party supplier.

Also in 2014, US retailer Home Depot said it had traced the world’s second-largest theft of credit card details from its systems back to a supplier’s compromised username and password. And in June 2011, RSA acknowledged for the first time that intruders had launched a cyber attack at Lockheed Martin using data stolen from RSA.

Read more about supply chain security

But protecting information exchanged with suppliers is a huge challenge for most organisations, which typically do not know exactly who is in their supply chain or even how many suppliers they have.

“Knowing who is in your supply chain is vital because not knowing makes it impossible to assess and manage the information security risks,” said Davis.

It is important to have effective controls over what information is made available to which suppliers, especially in view of the fact that some suppliers may also be competitors.

Davis cited rival aircraft manufacturers Airbus and Boeing as examples because they each manufacture certain components used by the other.

A common problem is that the number of suppliers is usually far greater than organisations expected, and in some cases, such as a multinational bank, the number of suppliers can be more than 100,000 globally.

This problem is often exacerbated by the fact that in the real world, suppliers can often be deliberately opaque about their suppliers and other industry affiliations.

Despite this risk, Davis said many organisations put few, if any, requirements in contracts to require information security assurances and best practices by their suppliers.

“I have seen contracts that require suppliers ‘to do good information security’ without any further concrete obligations to which they can be held accountable when things go wrong,” he said.

Integrate security requirements

All organisations should look at how they can integrate their security requirements into their supply chain processes, how they can extend those requirements to their suppliers’ suppliers, and how they can check that their requirements are being met, said Davis.

Most organisations find it hard to know where to start, but the best place to begin is not with suppliers, but at home, he said.

“Start by ensuring your own organisation is looking after data well, then look to extend those good practices into the supply chain.”

A useful tactic for getting all suppliers to adopt a common way of thinking is to express risk in financial terms, said Neil Hare-Brown, chief executive at Storm Guidance.

“Quantifying risk in terms of money breaks down barriers and enables all stakeholders to see what risk means,” he said.

According to Hare-Brown, this approach is more effective than most other ways of assessing risk, which tend to be subjective, reactive, uncertain, qualitative, and put business and security at odds.

“Organisations need to change the risk conversation to be about money,” he said.

Whether done consciously or not, Hare-Brown said organisations manage supply chain risk by attempting to find the right balance between mitigating risk, transferring risk, avoiding risk, and risk acceptance.

“Most organisations think they are mitigating most of the risk and accepting very little, whereas in reality they are mitigating less than they think, they are avoiding some things, such as doing business in what are perceived to be risky parts of the world, they are attempting to transfer risk through contractual obligations, and are accepting more risk than they would like.”

Express risk in terms of money

Ideally, said Hare-Brown, organisations should express risk in terms of money to make a business case to invest more in mitigations.

Organisations should also recognise the risk avoidance that is taking place and seek to make it as effective as possible in terms of reducing cost as well as risk, he added.

Finally, organisations should seek to transfer as much risk as possible through contractual obligations, and where this is not possible, take out insurance to reduce the risk, he said.

By adopting this approach, said Hare-Brown, organisations will be able to make a business case for allocating budget to reducing the risk they are accepting to an absolute minimum.

One way of tackling the risk analysis is to apply the factor analysis of information risk (Fair) methodology to supply chain risk, he said.

But this was challenging and most organisations would see value in requiring all suppliers to certify compliance with the government’s Cyber Essentials Scheme (CES), said Hare-Brown.

Five security controls

The UK government has required all IT suppliers to comply with the five security controls laid out in the CES since October 2014.

CES was developed by the government in consultation with industry and was launched in June 2014 with the aim of raising the cyber security bar in UK business.

Hare-Brown said basic CES compliance should be a minimum requirement for all suppliers, but key suppliers should be required to achieve CES+ certification, and critical suppliers should be required to submit qualified risk registers as well as attaining CES+ certification.

Basic CES certification requires an organisation to complete a self-assessment questionnaire, with responses independently reviewed by an external certifying body, while for CES+ certification, tests of the systems are carried out by an external certifying body using a range of tools and techniques.

Read more on Hackers and cybercrime prevention