Securing the supply chain: Why people are the key to managing risk
Securing the supply chain: Why people are the key to managing risk
Whether you're a technology start-up, a global retailer or a local council, the physical supply chain is one of the most mission critical parts of your organisation. It's also one of your biggest potential cyber-risks: some estimates claim that around 80 percent of data breaches begin in the supply chain. The problem is exacerbated by the fact that many IT managers try to manage that risk by investing large sums in eye-catching technology. 

The truth is that while there's certainly a need for effective tech solutions to shore up supply chain risk, the real value lies in focusing on your staff. With just a few months until the EU General Data Protection Regulation (GDPR) lands, time's running out for organisations to get this right.

A complex web

Modern supply chains are essential to any modern business, yet they add huge amounts of complexity and risk. As digital technologies and processes have evolved, the supply chain has grown, globalised and integrated with host organisations in a way never before thought possible. Many suppliers now have privileged access to the corporate network, for example, yet may not have as keen a focus on following cyber-security best practice as their partner organisations. That's made them a prime target for attackers.

Several big-name breaches can be traced back to security compromises at suppliers that provide ancillary services to a company. At US retailer Target, it was the network credentials used by a HVAC vendor and service provider that were stolen in a breach affecting upwards of 60 million customers. At the US Office of Personnel Management (OPM) it was a background check partner that was first attacked and their network credentials stolen, leading to the theft of 22 million federal records. 

Another increasingly common supply chain attack tactic involves compromising software at the source while under development, or modifying a product after production so that once distributed it can be used to help infiltrate a target organisation known to use that software. This is what happened in the infamous “NotPetya” ransomware attacks of June this year, when a popular Ukrainian accounting software provider was hacked, which led to its software and system being maliciously misused to spread malware to its unsuspecting customers.  The same strain of malware resulted in ransomware-related service outages that cost FedEx business TNT and Danish shipping giant Maersk each at least £225 million.  While those directly affected by NotPetya have reported damages to date exceeding £750 million, the cascading, downstream impacts to others in their chain prove to be much more difficult to track.

Supply chain attacks also happen on a much smaller scale. Closer to home, UK high street retailer Debenhams was this year forced to inform tens of thousands of customers about a data breach after an attack on Ecomnova, the firm contracted to run the Debenhams Flowers site.  This marks yet another example of how interwoven and interdependent companies and their digital systems have become.

Counting the cost

Data breaches already cost global firms each over £2.7 million on average, and that's without considering the maximum fines of £17 million  or four percent of global annual turnover (whichever is higher), set to land with the GDPR in May 2018. Aside from these headline financial costs, major security incidents can also impact consumer confidence and destroy an organisation's reputation. In some cases, they can even put human lives and critical equipment and systems we rely upon at risk — all things which are much harder to repair or replace.

It doesn't end there either: the complex web of interdependencies that form modern global supply chains can also amplify the effect of an outage or breach, as customers and partners of Maersk and TNT found out in June.

Organisations must therefore begin efforts to secure the supply chain by first understanding their own position in it, and that of the multitude of “supply chains within supply chains” that may exist around them. While each vendor relationship carries risk and must be tightly managed, IT bosses must also recognise that some aspects of partnerships may be out of direct reach.

The strongest link

Unfortunately, there is no silver bullet when it comes to mitigating supply chain risk, although some modern frameworks and standards like PCI DSS help to acknowledge and address this area and can be incorporated into policy. Best practice demands that IT bosses create and follow need to be as detailed as possible when drawing up risk mitigation strategies, removing single points of failure and developing effective incident response plans in the event of a worst case scenario. Collaboration and co-operation should be the name of the game, with the emphasis on improving security for the benefit of both parties rather than merely enforcing compliance in a rigid top-down manner.

While technologies like multi-factor authentication, and implementing continuous monitoring, patch management, code reviews and many more controls can certainly help, the biggest ROI can be generated by educating staff. Building stronger awareness among your employees and those of supplier organisations will turn the organisation's weakest link into a strong first line of defence, helping them to spot the phishing emails, unusual behaviours and physical and digital weaknesses which are so often the start of cyber-attacks today. It will also help to create a culture in which safety, security and data protection always come first, reducing the chances of insider error which is still the number one cause of incidents reported to the ICO.

Many employees in both large and small supplier companies may engage in high-risk behaviour simply because they can't see why any hacker would want to attack them. Others operate believing there is safety in numbers, presuming their particular likelihood of being picked on is low to zero.  This must change. It's all about teaching users to be vigilant, more alert online and aware of the repercussions of their actions.  Companies and their people also need to recognise the inherent value that comes when security-informed decisions are made. Ultimately, supply chain attacks can have a huge negative impact, not just on the ultimate target but on all the companies it interacts with, up and down stream. That's what makes it so important to get cyber-security in these environments right today, and to be prepared to evolve as risks and threats evolve in the future.

Contributed by Doug Wylie, director of industrials and infrastructure practice, SANS Institute

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.