Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations must consider their suppliers and the cyber security risks they pose. The UK’s Cyber Essentials scheme and the Australian Essential Eight framework both aim to enable organisations to improve the basic levels of cyber hygiene across supply chains. For organisations that are heavily dependent on 3rd party suppliers, logistics or retailers for example, the risk of introducing a debilitating external cyber security threat into their operations is an active problem.
As well as direct suppliers, it’s also important to consider the risks that the suppliers to those direct suppliers might bring. The Australian Cyber Security Centre (ACSC) suggests that systematic cyber supply chain risk management should comprise:
The intermediation of the finance sector and others, has driven greater efficiencies and reduced the cost of transactions, but with it has come greater 3rd party risk for supply chain participants. An issue that has not been lost on regulators who are increasingly mandating that institutions factor this into their wider operational resilience.
In commerce, organisations increasingly share data and create dependencies on one another for the secure carriage and care of that information. A cyber security axiom is digitalisation for greater business efficiency, and improved performance brings with it a greater reliance on trust between all parties. For confidence, that means a verification process.
The challenge to understanding and assessing 3rd party security risk is firstly to understand the range and reliability of the methods available. The difference between asking for attestation with some form of questionnaire, an assurance process and a systematic evidenced-based audit – automated or manual – may not be clear to some outside the security realm. Security assessments can all sound the same although, as we have discussed in earlier blogs, the quality of the information provided from a systematic quantitative assessment, complete with artefacts, outweighs that of a subjective questionnaire, when it comes to trust and reliability.
We’ve discussed supply chain risk previously, in past blogs here and here, as well as producing an e-guide for directors. In fact, there is a whole new consulting industry seeking to assess the cyber security resilience of suppliers. And it is the ability of those responsible for the resilience of an organisation to discern between the accuracy and reliability of the security information from 3rd party suppliers.
The investigation process needs to be similarly rigorous and use the same principles as those used in the risk assessment of your own enterprise. What are the key shared assets at risk? Are there adequate mitigation strategies in place? Or, do they need to be better protected? And because the threat environment and/or the contracted services might change, these questions should be a theme of your recurring assessments. The diligence with which you manage the ongoing effectiveness of your own cyber controls should be replicated in your efforts to ensure your supply chain providers are equally committed.
Recognising the importance of supply chain cyber security, the UK’s National Cyber Security Centre (NCSC) recently published a guide on “Mapping your Supply Chain”. This is in addition to their previous guidance on how to manage and assess security in your supply chain which can be found here. Both documents reinforce the importance of effectively managing and securing your supply chain; and highlight the fact that without it, your defences are only as good as your weakest control.
The NCSC guidance describes a systematic methodology:
“Supply chain mapping (SCM) is the process of recording, storing and using information gathered from suppliers who are involved in a company’s supply chain”.
Suppliers may be the providers of inputs to products produced by the company or they might be the indirect services consumed by the company in their operations. Either way, the mapping process must start with information gathering about the IT assets that are shared, the priority of any information and the security controls in place to protect it.
This information may be available, in part, from existing supplier databases, contact lists or past procurement contracts. Reconciling this information is a good first step, before updating and extending it to include new information from known suppliers, priority next-level suppliers and those for which information is as yet unavailable. Knowing what information is shared or accessed and by whom, how data is transmitted and stored and what security arrangements exist are important details for your supply chain mapping activities.
Maintaining this sort of information on suppliers is the cornerstone of your ongoing monitoring and oversight efforts. Your access to this information, and regular updates, should be enshrined in the contracts with each and every key 3rd party supplier. The dates of audits, the validity of assessment results and even security questionnaires if they have been completed. Even the commercial and technical points of contact in a time of crisis, is helpful.
Having built a map of existing suppliers, consolidating the available information and completing the missing pieces, you should move to a more systematic and reliable approach to supply chain management.
Putting in place regular touch points and reviews of security controls (audits, remote assessments or otherwise), working with suppliers to manage risks – both technical and input dependencies can then follow – is all part of a successful supply chain management effort. It will frame your activities and quickly assist in the diagnosis of any emerging risks and their necessary mitigation. Defining incident management processes, modelling scenarios and agreeing notification timeframes and response plans is all part of this – but most of all, these risk management processes depend very much on you having a view your suppliers and the risks they present to your business activities, from the outset.
The steps to map supply chains are not particularly onerous, but they can be complicated by the number of suppliers, the nature of the different risks and dependencies they present and the inevitable information gaps. For that reason, mapping your supply chain needs to be a systematic and reliable process. As you can imagine, random questionnaires mailed out to suppliers by the purchasing department, seeking self-assessments of their cyber security resilience, falls well short of the rigour required in your operational resilience planning.
Clearly the information you hold on the security of your supply chain needs to be protected. This is as important as the security information you retain about your own resilience. The NCSC guidance specifically notes the interdependencies and sensitivity of this information; which in the wrong hands could incapacitate significant elements of your supply chain.
Finally, as with your internal cyber security management efforts, these systematic practices can be supported with reliable and evidence-based 3rd party risk assessment and actionable reporting; with separate Huntsman SmartCheck reports, for example, quickly providing visibility of the key IT assets for each supplier and the state of the security controls that protect them.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.