What’s The Risk?
Many companies have professional relationships with 3rd parties in their supply chain / value chain that involve granting them access to systems and sensitive data. This, combined with increased levels of sophistication in hacking tools and strategies, plus increased oversight from regulators, and potentially ‘weak link’ companies in terms of cyber-security now make the risk of supply chain attack very real.
Examples of high-visibility supply chain attacks where a 3rd party was implicated or blamed include the hack back in September of US Credit Rating Company Equifax when 143 million customer details were thought to be have been stolen, including a possible 44 million from UK customers. Equifax was reported to have blamed the breach on a flaw in outside software it was using, and on a malicious download link on its website to another vendor.
Also, the much publicised, so-called ‘Paradise Papers’ leak of 13 million files allegedly giving details of the offshore tax havens and tax avoidance schemes used by the rich and famous, and by governments and corporations was blamed on offshore legal firm Appleby.
A Ponemon Institute survey has revealed that 56 % of organizations have had a breach that was actually caused by one of their vendors, and although the average number of 3rd parties with access to sensitive information at each organization has increased from 378 to 471, only 35 % of companies have a list of all the third parties they are sharing sensitive information with. Without even knowing and being able to monitor or check on the details of the relationship that an organisation has a data sharing arrangement with, it is obviously a risky situation that could make detection of a breach very difficult.
Now An Eco-System
Rather than being single entities, even small companies / organisations are now digital ecosystems where many things are bought-in or outsourced e.g. hardware, software, and services such as cloud provider services (in place on data centres). This means that there are many more potentially weak links in the value / supply chain of a company that breaches could come from.
With GDPR coming in May 2018, for example, liability and responsibility will extend to all organisations that touch the personal data of the subject / subjects. This means that companies / organisations will need to take a close interest in all parts of the data storage and processing chain to ensure compliance all the way along, within the organisation, and in the choosing and management of 3rd party relationships.
Also, there will need to be privacy by design, and the software, systems and processes of companies must be designed around compliance with the principles of data protection. Companies and organisations will need to ensure that 3rd party companies e.g. cloud suppliers, are themselves compliant, and building-in encryption.
Professional Services Companies A Risk
Many professional supply-side services companies have shown themselves to be vulnerable, and are often a way that attackers use to reach their final goal e.g. the Verizon breach caused by Nice Systems (customer service analytics), and the Deloitte hack in September where hackers were able to access emails and confidential plans of some of its blue-chip clients.
What Does This Mean For Your Business?
Many security commentators now believe that a new approach is needed to manage 3rd part risk effectively across a company’s digital ecosystem. This means really understanding where risks lie within that system, tailoring controls according to those risks, and collaborating with 3rd parties to remediate and mitigate those risks.
Companies and organisations need to become good at managing 3rd party risk in order to reduce the likelihood of a breach. This could involve measures such as:
- Identification of every vendor, and which of them have access to sensitive data.
- Evaluation of the security and privacy policies of all suppliers.
- Introducing service level agreements with suppliers that show their commitment to security.
- Asking vendors to do self-assessments, allow customer visits and audits, or purchase cyber insurance (most likely to work for larger customers).
- Checking security score ratings for vendors e.g. through BitSight Technologies or SecurityScorecard.
- Looking at vendors’ internal policies and processes.