Organisations are becoming increasingly aware of the potential business risks posed by Cyber Security. ‘Cyber Security and Information Assurance (IA)’ are key issues for every Board, (no matter the size of company), – however, are organisations really as prepared as they think they are? They may well have implemented excellent Cyber Security and IA measures within the company, but due to the interconnected nature of business, one needs to be mindful of vulnerabilities through third parties, partners and stakeholders. Every business, is only as strong as its weakest link and, in this instance, supply chains are increasingly becoming areas of concern.
In today’s market place, supply chains play a vital role in conducting business, however, they also pose numerous risks to maintaining the security of information which businesses rely on to function. Cyber Security and IA have had plenty of media spotlight, encouraging organisations to consider the potential implications to business, however, measures taken to ensure security are not necessarily instigated or maintained in relation to supply chains.
Information sharing procedures between businesses and their suppliers and contractors need to be organised, managed and monitored to ensure that information is accessed on a ‘need-to-know’ basis. Availability of information has the potential to put businesses at risk when accessed by those who may either have intent to use the information in a malicious manner, or simply do not understand security procedures and therefore bypass processes.
Eighteen months ago, the US superstore giant, Target was subject to the biggest data breach in the history of the retail industry. Target contracted a heating, ventilation and air conditioning company, Fazio Mechanical Services (FMS), to service its stores in the Pittsburgh area. Hackers who compromised FMS equipment were able to transfer malware using engineers’ computers connected to Targets internal networks during the routine service of their stores. Targeting payment systems, as many as 100 million customers, had their personal information copied, including credit card details, addresses and telephone numbers. Not only were Target liable for over $172 million in costs to replace 17.2 million credit cards, but they also suffered severe damage to their reputation, both the CEO and CIO leaving the organisation as a result.
This incident, despite its vast scale, is not an anomaly. Breaches through supply chains are frequenting the media on a more regular basis, as seen more recently with the Kmart payment card hack in October last year. With attacks growing in intensity, frequency and complexity, companies must be made aware of supply chain induced vulnerabilities. It is of critical importance for organisations to ensure the security of their business critical information including employee and customer information, processes and practices when acquiring third party suppliers. Key considerations include the following:
- Do suppliers possess the necessary clearances required to access the information needed for their job specific functions?
- Do third party business-related and systems-related IA systems meet the necessary security specifications applied to your business?
- Are suppliers aware of their roles and responsibilities in this area; is there clear governance within their business?
- Have their employees (and new starters), and key information specialists, received training in this area; and is this ongoing, tracked and tested?
- Are external parties accessing your business networks and information on a ‘need-to-know’ basis?
- Are suppliers’ networks penetration tested before outsourcing sensitive data?
- Are Cyber Security and IA checks included, as a matter of course, as part of the Procurement process? Have organisations put KPIs/SLAs inn place to monitor on going performance?
- Are key weaknesses identified and addressed across suppliers before engagement?
- Have policies been put into place regarding communication of security measures, Threats and vulnerabilities?
- Has a response action plan been established in case of an attack?
2017 will see the introduction of the new General Data Protection Regulation, further highlighting the importance of information made accessible to third parties, by putting severe non-compliance penalties into effect. A company experiencing a breach through its supply chain is liable for damages, despite not being the source of the vulnerability. It is time now, to take a proactive approach in managing and securing information, not only within your business, but that which is accessible to your supply chain – potentially your weakest link.