Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Managing third party cyber security risk, or “supply chain assurance”, is not a new topic, in fact we’ve discussed it before here. The concept of ensuring your suppliers will protect their IT systems and the data that you exchange with them is no longer unreasonable. As Forrester says in the key takeaways in their recent research “Third-Party Risk Management Requires Continuous Insight” – the quote from this posts title..
Commercially enforceable undertakings to comply with common security policies/frameworks, maintenance of equivalent security postures and the submission to the requirement for cyber compliance audits across supply chain partners, are increasingly common.
The usual way of building trust across the supply chain is the definition of or alignment to a standard; coupled with a review process to assure compliance of those controls is in place. This can take a number of forms, even within a given organisation.
Self-assessment questionnaires are one approach. Asking suppliers to respond to a set of questions or attestations that can then be assessed (or used as risk assessment drivers based on the answers) for cyber security adequacy is prevalent. Sometimes the delivery and response to these questionnaires can be automated with the results tracked; and any exceptions red flagged for further assessment by security experts, if necessary.
This type of assessment provides a measure of risk, although increasingly self-assessment is being seen to be a less reliable measure of cyber posture than a more independent audit process. Whilst the limitations of self-assessment may not be the end of the world; complications resulting from assessments that are subsequently shown to be inadequate, incorrect or over optimistic – are less than ideal.
That is why many organisations are now seeking to undertake these assessments themselves or via third parties, to deliver a level of assurance only available from independently audited control measures such as SSAE 16 or ISO27001.
The challenge, however, is that these audits are expensive for both the customer and the supplier organisation; particularly where there is the need for multiple party audits across the supply chain. Another more fundamental problem is that these audits, by definition, are “point in time assessments”. Their measure of compliance to the agreed set of controls occurs at a particular point in time; and is therefore only truly valid at the time of the audit. The next day, even a small environmental change may render the audit obsolete. This type of security audit is not fit for purpose.
Even when the combination of questionnaires, standards and bespoke audits are more frequent (and more expensive), as a result of greater assessed risk, it’s far from a perfect process. Key corporate participants as well as new regulations, like GDPR, have a part to play in better supply chain cyber risk mitigation.
The recent news of data leaks from the automotive industry (via an insecure, third-party backup service) really does underline the importance of this topic – read about that here.
A recent Harvard Business Review article, highlighted the “crying need to enlist supply chain management departments” to help solve this cyber security challenge:
“….According to our research, over 60% of reported attacks on publicly traded U.S. firms in 2017 were launched through the IT systems of suppliers or other third parties such as contractors, up from less than one-quarter of attacks in 2010……”
Messrs Rogers and Choi cite the 2014 Target cyber breach as originating from a small air conditioning contractor’s IT system; where hackers penetrated the smaller company in order to access Target. The result of which caused $162 million in damage.
They propose the following strategies be part of the procurement function:
These are all valuable strategies and agreeing industry standards or common frameworks across supply chains will standardise the audit process. It will also limit the cost of ongoing assessments and audits.
Any procurement driven approach, however, should be augmented with cyber security frameworks and expert oversight, that validate the presence of key controls and data safeguards– irrespective of any contractual obligations.
For any organisation that trades with the EU or holds its citizens’ data there are some key changes in the way supply chain risk works. See this piece by the International Association of Privacy Professionals (IAPP).
The data controller (that is, the company with the direct relationship with the citizen) used to have sole responsibility/liability for the safeguards. In the past they were expected to enshrine these obligations in downstream/supplier/service provider contracts and validate/audit that they were up to scratch. The data processor didn’t have legislated responsibilities beyond this.
Under GDPR, however, either the controller or the processor (or both) could be held liable in the event of a breach. The processor takes on direct legal obligations under the regulation as well as a contractual risk. This may in part alleviate the controller of some third party/supply chain cyber security risk because it can now share the blame.
If the key premise is that robust policies, efficient supply chain management and a structured, risk-based audit and assessment regime will improve supply chain cyber security management; an obvious improvement would be to reduce the level of labour-intensive work by automatically delivering these outcomes continuously and in real-time.
A recent Forrester Research report on the measurement of third party cyber risk recommended the following:
“Protect your extended ecosystem with third-party cyber-risk scoring: Continually quantify the cyber risk of your third parties for actionable insights”
Essentially it espouses the view that any cyber security risk oversight process must be systematic and automated in order to deliver real-time risk visibility and to avoid a hugely onerous manual audit approach.
The problem they describe is three-fold:
They advocate an alternative approach where third-party or technology solutions are used to measure and score third party risk in a continuous and automated way that can reliably “monitor, measure, and quantify the cyber risk of your third parties” on an ongoing basis.
Automating the monitoring, interpreting and reporting of control compliance is a key element of reliable third party cyber audit, it’s measurement helps quantify cyber security posture and risk preparedness.
Simply providing metrics without timely interpretation and continuous reporting and visualisation doesn’t scale, nor does it provide a repeatable and “industrialised process”.
As a result, organisations are increasingly looking at ways to deploy technology to automatically measure their cyber posture and resilience (against key controls) in order to establish their security management capability and that of third party digital partners. Using new technologies, it is now possible to dynamically measure and report any change in security circumstances and as a result adjust security management levers accordingly. These light touch solutions deliver a continuous view of risk across any number of supplier networks and systems – looking at their security resilience through the measurement of patching, privilege management, backups, application security and so on.
This solution is unobtrusive for the supplier (the organisation being assessed) and is easily managed centrally by the customer (who is doing the assessing); and results in an objective, trustworthy, automatic and continuous cyber security posture report.
Research from the Australian Government’s national cyber security advisor, the Australian Signals Directorate (ASD), has shown that 85% of breaches could have been stopped or mitigated in any organisation (and as a result an attack averted) if just eight key risk mitigation controls were in place and operating effectively. The measurement of these cyber security controls provides clear visibility of the cyber posture of any organisation and importantly, they are universally applicable in protecting any organisation.
These so called “ASD Essential Eight” cyber risk mitigation controls provide a useful starting point from which to establish and monitor third-party risk assessment. After consultation with industry professionals, these same controls present in the native Huntsman Security ASD Essential Eight compliance tool also form the basis of the new Huntsman Security Security Scorecard solution that delivers light-touch automated real-time measurement for cyber security risk management effectiveness across customer supply chains everywhere.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.