I, like you, was overjoyed seeing the release and approval of the Pfizer/BioNTech COVID-19 vaccine, and it is a real credit to what we can achieve when working together. However, being a Cyber security consultant, I’m also aware that the same data is a precious commodity, especially for Pfizer & BioNTech. When I then saw this same data was maliciously obtained, not through either Pfizer or BioNTech, but through The European Medicines Agency, whom were reviewing the vaccine for use in the EU, it for me summed up the quintessential challenges of Supply Chain security.
Now whilst I could reel off statistics as to how attacks have risen during this last year, this blog isn’t going to take your normal scaremongering approach. Instead it’s going to look at the pragmatic challenges we face when taking the scrutinising lens of cyber security and pointing it at suppliers.
Locus of Control
The first challenge is this, as a CISO/DPO/Security stakeholder in your own organisation, you have close to complete control over security functions every day, and so its highly possible that you may well be the strongest part of your supply chain. When dealing with suppliers, this control is lost, and depending on the volume of business your organisation represents to that supplier, the control you have on cyber security practices is minimal.
Your Supplier’s Tinder Profile
Additionally, I talk a lot to organisations about being wary of what I call the ‘supplier tinder profile’ for cyber security. By this I mean that often appropriate due diligence conducted either prior or during a supplier engagement, we’ll ask some seemingly strong questions and obtain evidence for certification like ISO27001, Cyber Essentials Plus and more.
Whilst all good certifications, do demonstrate some level of maturity, often these processes are positioned in a way to get the best possible scenario from your suppliers, as opposed to a true representation of day to day operations. Being frank this image is difficult to obtain in absolute clarity, and by nature the more accurate a representation, the more time investment is required from your side.
Supplier Compromise – Russian Nesting Dolls
For a timely, real world insight as to how this scenario plays out, you need look no further than Solarwinds Orion platform compromise, dubbed SUNBURST. Whilst details about the complexity and skill involved in this incident are rife, in comparison there is very few details around the supplier that compromised Solarwinds. For anyone who doesn’t know this incident is believed to have originated from a supplier, which then compromised Solarwinds by proxy.
We often refer to supplier relationships as a chain, being that we’re all links in one wider business chain. Whilst economically this is completely accurate, under the lens of cyber I prefer to envisage it as Russian nesting dolls. Ultimately, your organisation is seen from the exterior as one business, regardless of the number of suppliers you use. If one of those suppliers becomes compromised, that can quickly escalate to your business being compromised. Case and point, this breach is known as the ‘Solarwinds Breach’ not the ‘Supplier of Solarwinds Breach’.
Additionally, like Russian nesting dolls, your supplier relationships are not 1:1. The supplier of your supplier (and therein) Can still indirectly lead you to a compromise. I’ve demonstrated this in the graphic below:
The important thing to remember here, is just like Russian nesting dolls, all that’s visible from outside looking in is your business. Ultimately, to customers, the media and beyond, you are a sum of the supply chain you operate within. Whilst I could write a whole other blog around whether this is fair and representative, I think now is the time I should offer you some solutions. Crucially I’ve detailed below some quick wins, as well as some longer term steps:
Quick Win #1 – Ensure Breach Notification is part of the supplier contract
This is one of the big assumptions I see organisations caught out on during an incident, as legally speaking, unless certain GDPR circumstances or contractual obligations are required, Suppliers are not bound to report breaches to you by standard. This is not to say some won’t, but having breach notification as part of your contract, including an SLA reporting time and regular contact frequency, will enable you to get early indication of any supplier compromises, and be able to respond appropriately
Quick Win #2 – Include Supplier compromises in your incident response plans & scenarios
If you don’t have an incident response plan, or currently do training scenarios – you absolutely should be. Including supplier compromise in your routine exercises prepares you for what is a fundamentally different incident to respond to. Whereas internally you know your systems, your processes and your suppliers, in a supplier compromise incident you’re wholly at the mercy of the information that supplier can: A) obtain and B) will provide you. Some suppliers prefer to adopt a “don’t worry, we’ve fixed it now” approach to breach notification, which can lead to later notification, whilst others might tell you earlier but with very little detail.
Quick Win #3 - Assess, Assess, Assess
I may be stretching the definition of ‘Quick’ a tad here, but the other mistake I often see is due diligence becoming a one time thing. Particularly for long term suppliers, having a 5 year out of date completed due diligence form is of little help considering the pace of the technology market. This last year alone has brought unprecedented volatility to all areas of business, and no doubt due diligence around business continuity and service provision may well be out of date.
Whilst increasing the frequency of due diligence is a good step, another is to vary the content of that diligence, use both information requests and external assessments/testing, to validate these suppliers. Whilst some suppliers may ask you to front the cost of these assessments, this still becomes a crucial insight into the strengths, and weaknesses of your supplier. And knowledge, when it comes to security, is king.
All well and good, but I’ve got a business to run.
Fair point, its easy for me to harp on about all the things you could do with the imaginary extra 5 hours of your day you don’t have, but keeping things moving at the moment is a harder challenge than ever before. So you quite rightly might be sat here thinking along the lines of the above section title. Well for anyone feeling like that, Softcat have a service for you!
Softcat’s Third Party Risk Assessment Service monitors the security posture of your most important suppliers to enable real time visibility of the security of your supply chain. We’ll work with you to understand the particular suppliers of interest, how and why they are important to you, and populate your custom portal with analysis around those organisations. Throughout the service, expert security consultants will be on hand to help you digest the data, into tangible information you can understand.
Additionally, our governance risk and compliance service can work with you to define a varied supplier due diligence process that is manageable for your team, as well as representative of your number of suppliers.
Have recent events pushed this risk higher up your agenda? If you’d like a deeper discussion please do get in touch.