The security risk of the supply chain

Opinion by Paul Vlissidis

Information security has improved significantly in the last ten years.

Information security has improved significantly in the last ten years.

Understandably, this is rarely discussed because standards are still not high enough. However, progress shouldn't be disregarded and thankfully most organisations now understand the importance of keeping their information assets digitally secure.

Much of the progress has been due to the increasing number of high-profile cyber attacks, which are helping to alter the mindsets of boardroom executives, albeit slowly. Businesses are realising that an ‘it won't happen to me' attitude is no longer acceptable to stakeholders.

However, there's a common misconception that needs to be addressed. The usual advice is to concentrate on securing your own four walls: keep a tight perimeter around your business's critical data and risk will be minimised. But this overlooks one integral factor - the supply chain.

Businesses depend on third party suppliers every day. From software developers and hosting providers to accountants, lawyers, PR and marketing firms – all have access to corporate information and in many cases, the corporate network.

This means that a company's information security relies on that of third parties – and to a greater extent than is commonly believed.

We recently undertook some research into third party security breaches, questioning CIOs from companies with over 1,000 employees. Shockingly, more than 40 per cent of corporate IT security breaches were related to third party suppliers. With 76 per cent of those surveyed admitting their suppliers had access to customer data, it's easy to see how big a problem this has become.

There have been high-profile cases too. Last year US military contractor, Lockheed Martin, faced disruption to its computer networks which was linked to the hacking of one of its suppliers, RSA, weeks earlier.

Suppliers might not undertake regular tests of their infrastructure or educate staff about dangers such as spear phishing, they might not have effective firewalls or up-to-date anti-virus software and if they don't have these measures in place, it doesn't much matter if your business does - the hacker can target your suppliers and get the data anyway

There needs to be a broadening of the scope of IT risk management. If over a third of corporate IT breaches are from third party suppliers, then a company's security budget needs to be modified to address this risk category.

There is a way to begin to combat this risk. However, it's going to take another change of mindset in the boardroom to realise just how much attention critical third party suppliers deserve. The fact is when it comes to supply chain security, a company is only as secure as its weakest service provider.

All third party suppliers with access to critical corporate data should be audited, and their security policies reviewed. When choosing suppliers, businesses can't merely focus on cost or quality – it's crucial they take into account security too.

We need greater awareness. Many businesses will not even realise the level of access that their supply chain has – our survey found that 38 per cent of CIOs do not take steps to find out which individuals from third party suppliers have access to their data. Key suppliers should be on their risk dashboards.

Businesses have come to understand the importance of cyber security and information assurance. However, until they realise the risks that third party suppliers pose to their own assets, corporate defences will continue to offer a soft target to miscreants and cyber criminals.

Paul Vlissidis is technical director at NCC Group


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events