Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The meteoric rise of supply chain cyber attacks over the past five years shows that organisations must focus on tightening the security of their subcontractors, suppliers and partners. An article by Harvard Business Review (HBR) suggests, “Over 60% of reported attacks on publicly traded U.S. firms in 2017 were launched through the IT systems of suppliers or other third parties such as contractors, up from less than one-quarter of attacks in 2010.”
The primary issue is that supplier contracts don’t usually include definitive statements on cyber security standards or controls the contractor should be accountable for meeting. As a result, you lose control of your data security as soon as third parties gain access to your infrastructure or data, posing a massive upstream threat as credential theft will lead to attackers gaining access to your systems.
Even if the contracting organisation adds several high-level statements of intent to contract, such as, “Acme Ltd. will ensure all <parent company’s> data remains confidential and protected from data breaches while in the care of Acme Ltd.” it is hard to prove whether they are compliant.
Information security managers should work closely with their procurement teams to ensure contracts with third parties contain clauses that force attestation and can be tested through audits and reporting. If the contract says, “Acme Ltd. must be ISO 27001 (or similar) certified and provide annual audit reports of the security management system to <parent company> within two weeks of audit completion,” you now get a way to discuss security at contract reviews.
Statements of specific compliance against requirements might relate to their use of contemporary technical security controls, such as having an antivirus product on all desktops, laptops and servers, a Security Information and Event Management (SIEM) system for audit and monitoring, and a Security Operations Centre for alerting and incident response. You can then rest assured they take security seriously.
Cyber insurance has become popular over the past few years and modern cyber insurance products have matured enough to be worth evaluating. You should review your own cyber insurance policy to see if it covers breaches caused by suppliers, since insurers may not pay out if your data is breached on a third party’s system. The procurement team should also turn back to the contract and include a clause whereby suppliers have their own cyber insurance policy – the concept of liability is often covered in contracts, so ensure they are also liable for the protection of your data and will compensate you should a breach occur.
Request that suppliers allow your own SOC team to monitor their systems. This may not be tenable for a vendor, but if the subcontractor is embedded in your network, there is no reason why you cannot include this. Furthermore, you can say that every device connecting to your network must have your antivirus agent and monitoring agent installed on it. If you have some way of ensuring their systems are patched and protected with basic controls, this will also help keep your systems and data safe.
You can reduce the level of access partners and suppliers have to your systems to a minimum. They almost certainly don’t need the same level of permissions your internal users or administrators need, likely only requiring access to one fileserver, intranet site or database. Limit their permissions to accessing just that one system and ensure you audit every action they take.
Furthermore, you can request all suppliers use penetration testing and vulnerability assessments to expose security deficiencies in connections to your infrastructure. Suppliers should welcome an expert penetration testing company testing their systems and should be happy to include this as an integral part of offering their service. If not, consider other vendors that would welcome such testing.
If you use very small suppliers or product vendors, they may not be able to demonstrate enterprise levels of security resilience. Yet they may still have good security practices and technical controls, without necessarily even knowing how to put them in context of your contract. If they need assistance in understanding how to get started, have your security team meet them and seek pragmatic agreements of how they meet your objectives. Even if they are non-compliant today, if they are willing to put in the effort and go on a journey of security maturity with you, you can track their implementation and work with them on becoming more secure. This is a win-win for both organisations.
If ISO27001 is too onerous for your suppliers, especially smaller ones, select a different minimum standard they should adopt, such as the Australian Signals Directorate’s Essential Eight or the UK NCSC’S 10 Steps to Cyber Security. The Essential Eight contains a set of basic security controls that are easy to achieve (mostly). It represents a distillation of years of monitoring and analysing security breaches and covers the eight most useful controls an organisation can adopt. Controls include patching operating systems and patching applications, ensuring systems and data are backed up, having tighter control over Microsoft Office macro settings, application hardening (removing unnecessary features), restricting administrative privileges, and using multi-factor authentication.
The only Essential Eight control that may cause problems is “Application Whitelisting,” especially if the organisation isn’t running Microsoft operating systems, since it can be expensive and troublesome for companies using alternative systems, such as Apple or Linux based computers.
Supplier management and procurement teams need to be empowered to embed security in your sourcing agreements. There is no reason why suppliers shouldn’t he held to the same level of account that you are for protecting your systems and data. Any supplier that doesn’t agree cyber security is important should not be used to deliver services or products – if they refuse an audit then quite possibly they have something to hide.
Remember, it doesn’t matter how strong your window locks are and how fortified your door is, if the adjoining apartment is left unprotected and there is an internal swing door connecting to your living space, the burglars will still get into your apartment.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.