Supply chain risk is fast becoming a prominent theme in cybersecurity. As the cliché goes, a chain is only as strong as its weakest link. That goes double when networked IT systems and shared data are involved.
According to the Ponemon Institute, breaches resulting from third-party security lapses are on the rise. Last year, 61% of organisations in the US said one of their vendors or partners had caused a breach. Almost 75% said they believed such incidents were likely to happen again.
Growing supply chain complexity has to be to blame. Companies in the survey said they shared confidential and sensitive information with as many as 583 third parties, on average.
Another survey by the Center for Financial Professionals shows that pretty much all (97%) financial services companies treat third-party risk as a major cyber concern. Eighty per cent said they had already terminated or reduced a business relationship over security concerns.
Their worries are well-founded.
In June cybercriminals hacked the US Customs and Border Protection (CBP) agency through a sub-contractor, which held photos taken of travellers and their cars as they moved across border crossings on its own IT systems.
It isn’t clear why the un-named company had the data on its systems, but the CBP says it believes they ‘…violated mandatory security and privacy protocols outlined in their contract.”
Also in June: a billing provider for the US healthcare sector exposed the personal and financial information of over 20 million people – and possibly more.
The company, American Medical Collection Agency (AMCA), said the data belongs to Americans who paid for private-sector tests at clinical and blood testing laboratories across the US, using AMCA’s billing portal.
AMCA’s laboratory partners have had to notify patients that their personal data is now out there in the wild
And again in June: police forces across the UK were forced to cease all work with the country’s largest private forensics provider, after a ransomware attack destroyed or locked essential case data held on the company’s systems.
Exact details and the extent of damage to files and data hasn’t been revealed, but the company Eurofins processes more than 70,000 cases each year, including murder and terrorism offences.
It carries out DNA analysis, ballistics, toxicology, and computer forensics. Police across the country have suspended all work with the company as a result, believed to account for more than half of all outsourced casework.
No more taking the blame for partners
While there may have been a time when organisations would take on some of the responsibility for cyber across their supply chains, tolerance for breaches is fading rapidly.
Businesses are now being held to account by regulators and customers for the actions, or negligent inaction, of suppliers.
Study after study tells us that customers will abandon a brand after a significant breach. Consumers now judge companies on how reliably they protect personal data.
It doesn’t matter if the breach happens on a supplier’s systems. The brand that contracts the supplier and gives it access to customer data gets the blame.
Retail and finance organisations can suffer a lingering sales drop after a breach, with a third of consumers saying they will take their business elsewhere.
Privacy protection has become a significant focus for regulators.
In addition to GDPR, all US Federal Government contractors and sub-contractors now have to comply with a directive to keep personal data from falling into the wrong hands.
Information is power
Knowledge and awareness are crucial to protecting against cyber incidents and mitigating the damage when they occur. Many businesses are already conducting audits of their supply chains and tracking how vendors access and use shared data.
To better prepare for the possibility of a supply chain breach, vital actions to take to identify vulnerabilities include:
- Auditing your existing supply chain. Prioritise vendors in order of importance or commercial significance (e.g. strategic partners versus occasional suppliers) and the level of integration between their systems and yours.
- Create minimum cyber risk standards – including training requirements – and build them into contracts. While you might want to negotiate these to some degree with your most important vendors, lower-tier vendors should be required to comply.
- Don’t forget the supplier’s suppliers. Your vendors will have supply chains of their own. When vetting first-tier vendors, it is essential to audit their respective supply chains for any potential issues.
- Audit, measure, audit again, repeat. The cyber threat landscape changes every month. It’s crucial that you monitor exposures over time and can update cybersecurity criteria as part of vendor contracts.
- Create a culture of cyber risk awareness across your supply chain. Establishing clear policies and procedures for vendors is step one. Training your employees, and critical vendor employees, will help keep cybersecurity on top of everyone’s minds. Security awareness training programmes should be part of any organisation’s induction for new joiners and elements of the programme can be replicated to business partners to ensure that their cybersecurity objectives are aligned with your own.
Strengthen security at every link
Whether it’s your organisation or one you contract out to, every contractor and subcontractor working with customer or proprietary data needs to take ownership of cybersecurity, and protect the sensitive information it stores, receives, or transmits.
Systems need the latest technological defences, but as we see again and again, it’s not a matter of ifa system will be breached – it’s a matter of when.
Organisations can supplement their cyber investments by empowering their own people: placing employees on the lookout for cyber attacks and the signs that a hacker is trying to breach corporate networks or personal devices.
Cyber risk as a daily management challenge and enlisting those at the front line to help is one of the most effective ways to stay secure.
Want to know more about security awareness training? Why not sign up for a free demo and find out how we’re already helping government and public sector organisations dramatically improve employee security awareness across their supply chains.