Sergey Nivens - Fotolia
Information security weaknesses at suppliers have been responsible for several high-profile breaches in recent years. These include malware-laced phishing emails sent to an air-conditioning supplier to US retailer Target in 2013 and contractor PA Consulting losing the details of 84,000 prisoners on an unencrypted memory stick in 2008.
Chris Gibson, director of the UK computer emergency response team (Cert-UK) said that, for an organisation aimed at supporting critical national infrastructure, supply chain security is an important area of focus.
“We are very cognisant of the fact that the information security of suppliers is just as important as that of providers of critical infrastructure themselves,” he said. “We work a lot of cases that are deep down in the supply chain.”
Gibson said that, while government is encouraging all organisations to ensure they are covering the five basic information security areas outlined in the Cyber Essential Scheme, it is also trying to help push those principles down into their supply chains, to raise the level of security awareness.
“I have seen more than enough examples to know that, at the moment, it is not where it needs to be, without a doubt,” he said. “Target may have been very good at information security, but there was a weakness in their supply chain, and that is where they fell over.”
According to Gibson, many of the cases that Cert-UK is involved in could have been prevented if the organisations involved had followed basic “cyber hygiene” principles.
“A recent incident involved poorly-configured SQL servers, but that is a security vulnerability we have known about for 20 years. Attackers are still finding and exploiting well-known vulnerabilities that we know how to fix,” he said. “Good cyber hygiene across the board would solve an awful lot of the problems we see and would kill a lot of the work I deal with,” he said.
Work with suppliers
Tom Mullen, head of cyber response and IT security at Telefonica UK, said information security has to be included in the supplier contract. “When organisations start negotiating with suppliers, they must ensure that information security is one of the key deliverables specified in the contract,” he said.
But, he said, that is just the starting point. The information security requirements in the contract must be followed up by regular audits and spot checks to ensure the supplier is adhering to the contract and the specified information security policies.
Mullen said carrying out checks involves a lot more work, but the scope of this can be reduced by ensuring at the contract stage that services are secure by design.
However, Jon Townsend, head of cyber intelligence and response at the Department for Work and Pension (DWP), said organisations should try to avoid an adversarial relationship with suppliers.
“Try to be an intelligent customer. Ensure you are asking the right questions and ensure that you understand the services being provided. And if you think suppliers are not meeting your information security requirements, instead of beating them up with the contract, work with them to put it right,” he said.
“By working with suppliers to overcome any difficulties you will benefit by improving the security of your organisation. Know what you need to know concerning the security of your data, then work with your supplier to get that information if they are not currently providing it.”
Read more about supply chain security
- Business is increasingly recognising the importance of information security, but information security in supply chains is still widely overlooked.
- A comprehensive security strategy must include the supply chain.
- The UK government will require IT suppliers to comply with the five security controls laid out in its Cyber Essential Scheme.