Many businesses are now reliant on third parties in order to function and to provide their goods or services. These third parties are likely to form a supply chain providing such capabilities as IT services, HR outsourcing and hosting services.
The calibre of these services can vary greatly be they a large conglomerate to small local business. Each suppler will have they own cyber security processes and procedures that should be embedded within the business….. but in practice is this the case and what is the impact on a business if they suffer a cyber security breach?
With reliance now placed on a supply chain it is important that due diligence is carried to ensure that this resilience is in place.
What sort of processes can be carried out in order to provide some assurances?
- Regular cyber security audits of third party vendors
- Prioritization of vendors for critical services
- Review of data monitoring standards of third parties
- Ensure own security procedures remain at a high standard enforcing regular patching and installation of latest firewalls.
- Managing of privileges provided outside of the business
- Robust procurement processes for new vendors
- Management of contractual liability with the vendor in the event of a possible data breach
- Due diligence of cloud service providers
- Insurance checklist for professional indemnity and or cyber insurance by the vendor
- Review interconnected devices to managed The Internet of Things ( IoT) exposures
The supply chain of a business can be their weakest link and managing this should be given the same level of attention as the internal cyber risks that exist.
The National Cyber Security Center publish a list of some of the risks that businesses should look out for :-
The consequences of a third party suffering a compromise of their computer systems could lead to the following:-
1.Business Interruption
2. Reputational Damage
3.Regulatory Actions and Fines
4.Loss of customers
5.Costs incurred to the business to rectify loss of data or damage to computer systems
6.There have been a number of high profile data breaches where losses have emanated from the supply chain :-
Target
In December 2003 hackers gained access to the heating and ventilation system of the retailer Target. As a result of network credentials being stolen from a mechanical services engineer the hackers were then able to gain access to credit and debit card data of customers. The cost of the breach is thought to be close to $300M with 100 million individuals being affected and the CIO of Target resigning soon after the breach.
Stuxnet
This was a malicious computer worm that targeted automated processes utilized to control machinery on factory assembly lines and systems within the nuclear industry.
It was introduced into a supply network via an infected USB flash drive by individuals that had access to the system It was then possible for the worm to move across the network which scans software that controls machinery and n influence the commands that were given.
NonPetya
Last year NonPetya was a malicious code aimed at software supply chains. The targets were outdated and unpatched Windows systems utilizing the EternalBlue vulnerability which hit many global businesses such as WPP DLAPiper and Maersk.
The hackers initially breached a financial services company in the name of MeDoc which was a third party software service readily utilized by goverments. Once access had been obtained they were able to install malware on their software which was then distributed to end users when the latest update was downloaded.
A report earlier this year by Symantec reported that there had been a 200% increase over the last 12 months in hackers injecting malware implants into the supply chain to gain access to the organizations computer systems.
https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf
Perhaps one of the keys to ensuring that a supply chain is secure is to try and enforce the supply chain to have in place similar robust cyber security procedures and practices to the business in order to manage the evolving cyber risk landscape that exists.
Image : Shutterstock