As hackers find ingenious new ways to penetrate corporate systems, recent data breaches should serve as a timely reminder that cyber-resilience requires an approach that goes well beyond an organisation's own systems. From phishing emails purportedly sent by suppliers, to exploits using suppliers' networks as gateways to data-rich primary systems, the risk posed by third-parties is becoming increasingly clear. While the fallout of a breach is often painful and expensive, the lesson is simple: suppliers and other third-parties are often the weak link in the cyber-security strategy.
Such risks cannot be eliminated, short of ceasing to use computers. However, companies must take steps to safeguard their own systems, as well as understanding the risks posed by suppliers.
The key question to ask is not how important the supplier may be to the organisation but how much access the supplier has to the company's computer system. As some companies have found to their cost, such threats could emanate from suppliers that may not be regarded as particularly high risk or represent a significant share of a company's purchase ledger. The contracting and due diligence process must therefore address the potential vulnerabilities that may be created, as a result of supplier relationships.
Before reviewing the resilience of suppliers, companies must understand their own preparedness. It is a process that should start with a comprehensive security assessment of the company's own systems, conducted by an external third party. A security assessment is an in-depth review of the organisation's risk profile based on the specifics of how it does business, how its network operates and what sort of information the company holds. This will allow management to judge a company's central risk profile and take steps to reduce that risk.
The security assessment may suggest further measures to increase the resilience of the company's own systems. For example, where suppliers have access to corporate systems for the exchange of information or remote management, networks may require further segregation. This will ensure the most sensitive data is not accessible from systems that may also be accessed, legitimately, by outside parties.
To ascertain the level of risk involved, companies should satisfy themselves that their suppliers are committed to carrying out regular, detailed cyber-security assessments. Such reviews must be tailored to the organisation in question, its business, its unique risk landscape and its particular use of data. This will commonly include an analysis of the company's data profile, the kind of attacks experienced by similar companies, as well as the type of information already in the public domain about the industry risks and potential adversaries. Each review is likely to highlight different types of security risks, depending on the business environment in which a company operates.
In the short term, it is unlikely a large number of organisations will make such assessments mandatory. However, there is growing evidence that some companies, including banks, are already encouraging suppliers, such as law firms, to review their cyber-resilience. It is a process that requires on-going monitoring and review, to ensure new threats and vulnerabilities are identified and addressed as quickly as possible.
While the focus should remain firmly on the steps that will help reduce the risk of a data breach, the commercial agreement with the supplier should also address the responsibility for cyber-security. This reinforces the importance placed on minimising such risks and reduces the likelihood of prolonged argument in the wake of a breach.
As part of this agreement, there should also be a clear understanding that suppliers and vendors have an obligation to brief the company that a breach may have occurred and that sufficient access to information about the breach is provided promptly. This will allow a separate investigation to be carried out. If it is the customer's information that has been leaked or hacked, it is important to be able to establish the scope as quickly as possible so that the breach may be addressed sooner, thereby limiting the damage caused.
The importance of suppliers taking appropriate measures to safeguard their own systems becomes even more significant when considering the threat of spear-phishing emails. Such emails are significantly more effective when harnessing information of relevance to the recipient. By accessing communications between a supplier and its customer, hackers may mimic the supply chain in phishing emails and use that to introduce additional vulnerabilities.
As organisations seek greater systems integration and connectivity at all levels of their operations, the potential cyber-security risks posed by external suppliers must be addressed. Without a clear commitment to assessing and managing such vulnerabilities, companies unwittingly lower their own cyber-defences to that of the lowest level in the supply chain.
Contributed by Seth Berman, executive managing director and UK head of Stroz Friedberg, an investigations, intelligence and risk management company.