Cyber Security and the Board – Working with third party suppliers

Whilst recent events have overwhelmed us all, there remain underlying risks for organisations that don’t go away in these times. In the Bank of England’s Systemic Risk Survey for the last half of 2019, firms identified political and cyber risk as their top two concerns; nobody was thinking about global pandemics then. Businesses are now under acute stress and it is against this backdrop that we urge firms to remain vigilant about their arrangements with third party suppliers.

In these times of stress, businesses may be targeted via their third-party supply chain and any breach of your supply chain is potentially a breach of your own business! So, what can we do about it? The 2019 eSentire survey found that 44% of all the firms they surveyed had experienced a significant data breach caused by one of their third-party vendors. We have seen a string of announcements about major breaches being blamed on company’s supply chains, including one at an overseas Bank who notified customers about a data breach which put their sensitive account details at risk. The Bank have admitted that the breach occurred via its Customer Relationship Management Platform operated by a third-party hosting firm. The breach put customers’ names, addresses, contact details, customer-number, age, account number and even account balances at risk!

Like many business processes, the whole outsourcing landscape has changed dramatically over the last decade. In the past, most companies relied on a small number of IT providers that were often selected based upon well established relationships. However, the growth of ‘Software as a Service’ (SaaS) has led to a proliferation of different providers, many of whom are very small and specialist in nature. These can often be signed up via a simple online process with a quick credit card payment. There is however a downside of this new found agility; we know from our experience that many internal business units are now signing up to SaaS providers without going through the company’s formal onboarding process. We have also seen that over time many internal IT departments now lack a lot of the specialist technical skills needed to understand all of the new IT applications being used across the business and instead have become reliant on the provider’s own technical expertise. Unfortunately, as these companies can be very small, they often lack the resources to employ dedicated security specialists.

As a result of this change, we know that many companies’ methods for assessing third-party supply chain risk have not kept pace with this rate of change. They are therefore not able to capture the entire risk, but instead look at in silos and as separate isolated risks. We know that security does not operate best in this divided fashion.

Many still use very manual processes for capturing and for assessing this data that rely on old style questionnaires completed by the suppliers themselves. What other area of security relies so heavily on the third party’s honesty in identifying their own security issues to potential buyers?

These methodologies can produce a list of different security problems but rarely provide any context to these issues or help prioritise the issues based upon the actual risk. Not all vulnerabilities are equal and it’s vital to be able to contextualise security threats, in a way that shows the actual risk for you and your business; after all what are your potential vulnerabilities and who is it who might want to exploit them to access your data?

If we couple this fundamental change in how we now think about third-party risks with the recent changes to regulatory responsibilities for Senior Executives, we can see just how important it is that Boards get to grip with this issue. The SM&CR is clear; Executives are accountable for managing these business risks with increasing personal responsibility. It’s hard to see the logic of those executives who know they have this personal liability and still try and manage complex risks like this without accurate information and without the effective processes they need to map the risk. It’s clear the time is right for a genuine change to how we all manage our third-party partners and the specific risks they pose.

A large Japanese electronics firm suffered a data breach after launching a forensic investigation of suspicious activity on their network. They have admitted they were hacked by a Chinese hacker group who had first gained access to a subsidiary company’s network in China. They had then used this breach to get into the firm’s systems.

With these issues in mind one of the most important things a business must identify is what we term as the ‘Crown Jewels’ – the most critical assets, providers, parts of the operation and relationships that must be preserved. What data, services or systems are so crucial to the business that a breach would be catastrophic. It then makes sense to protect these behind the greatest layers of defence and that goes for third parties as well. Remember not all vulnerabilities are created equal, it’s vital to understand and identify the actual risk and plan accordingly. It’s impossible to do this effectively if we don’t understand what’s most important to us as a business. Already this year the US government have had to announce that 750,000 birth certificate applications for US citizens were leaked through one of their third-party providers. The records containing sensitive personal data were discovered on an AWS cloud platform with no protection at all.

Where possible, assess your vendors for this risk before you enter a formal relationship. We know this sounds like common sense, but we have seen plenty of instances where the business has committed to the relationship, sometimes even beginning to share critical data before even considering the security implications. It’s also important to develop a standardised framework to help manage the assessment process, making sure you compare “apples to apples” when looking at which products or services they are supplying and then assessing the bespoke risks for your business.

Where this framework identifies higher risk relationships, consider adopting more intrusive tests and even the continuous monitoring of some of their security controls. There are several technological products on the market at this time that can support businesses in undertaking this continuous process. We realise this is an additional expense, both in terms of money and time, but the proposal here is to take a well-evidenced risk-based approach, implementing a sliding scale of controls depending on the scale of the risk posed.

Using these measures, a business can adopt an approach whereby they incorporate appropriate risk management clauses into vendor contracts. One suggestion is insisting that vendors maintain a certain security rating or risk losing the contract. Another suggestion would be that they introduce specific new controls within specified time periods to mitigate certain identified risks. Additionally, an important consideration is clearly defining how a third-party uses and shares your data with their own third-party supply chain.

Operationally, you should ensure that you and your teams have:

1. Mapped the business end-to-end and that it is up-to-date
2. Identified the key enabling layers such as technology, architecture, third parties and key suppliers
3. Identified the key metrics that are used to measure levels of performance and identify key impact tolerances and trigger alerts or escalation processes
4. Validated the key impact metrics through modelling ‘severe but plausible’ test scenarios
5. Reviewed the frequency and rigour of testing

We see real benefit for those companies we work with who take a particularly collaborative approach with their vendors. Treat them as your partners, share threat intelligence that they may not be privy to and generally work closely to support them in protecting your data.