Managing third party suppliers – cyber security – 2023 update
2023 Update
Unless you purposely do not follow the news, you have more than likely seen headlines regarding large-scale cyber attacks on global companies. You may have heard of the SolarWinds breach. Cybercriminals were able to infiltrate SolarWinds’ software, and then use that foothold to get access to customer systems. More recently, IT management software firm, Kaseya, suffered the same. The businesses impacted by the Kaseya cyber-attack were just as diverse as the geographical reach. For these businesses, the impact of this downtime will have repercussions on customer relationships and trust. Both of these incidents are what is known as supply chain cyber-attacks; a growing form of cybercrime that is as lucrative as it is damaging.
Research from Gartner implies that digital supply chain risk is a trend for 2023, with 45% of organisations worldwide experiencing attacks on their software supply chains.
Reasons for weak supply chain management
It’s impossible to do business nowadays without relying on a wide range of third parties for myriad services and the supply chain is an obvious weak link for hackers looking to target companies with valuable data sitting further up the chain. When interviewed, UK companies cited similar reasons to explain why managing supplier risk is a real challenge, these were;
- Lack of awareness
- Lack of capability & resource
- Lack of perceived responsibility for suppliers’ own actions
- Not knowing what questions to ask
The UK government report states that it is still relatively uncommon for organisations to systematically consider cyber risks in their supply chain. Lack of resources and ignorance were two major themes that came out of interviews to explain this. It’s easy to assume that lack of resources is a problem for smaller companies, however, it’s just as relevant for large organisations who will likely have a greater number of suppliers in a variety of locations.
Ignorance on the subject is more concerning. Did you know that in relation to securing Personal Data (one of the key motives for cyber-attacks), having suitable supplier management controls in place with data processors is a legal obligation under Article 28 of the UK GDPR? Even if you already know this, the survey reveals that a significant number of businesses are in the dark here. Many UK companies could be blindly heading towards a cyber security incident and subsequent data breach and not realise that they are non-compliant with the law. Let’s not forget that with the new powers of the GDPR behind it, the ICO could issue a fine of up to £17 million or 4% of annual turnover whichever is greater.
Steps to managing third-party suppliers
In an ideal world you would take these steps in supplier due diligence:
- Request assurances about suppliers’ practices – with evidence.
- Ask suppliers to complete a security assurance questionnaire which asks about their approach to risk management and the technical and organisational controls they have in place.
- Insist on minimum compliance requirements, such as Cyber Essential Plus or ISO 27001 certification. Organisations often claim to be ‘aligned’ to a standard – ask for proof if this is the case. You can read more on this topic in our blog on the role of ISO 27001 in supply chain security.
- Put a contract in place that sets out minimum security measures that must be implemented with indemnities for a cyber incident or data breach.
- Carry out external audits of key or high-risk suppliers.
But it’s not an ideal world and resources will always be restrictive. The situation will be the same for SMEs at one end of the scale, who might not even have a dedicated CISO, to multinationals at the other end of the scale that have literally thousands of third-party suppliers across different continents.
The key is to manage risk and prioritise those suppliers which pose the highest risk in terms of the data they hold and subsequent cyber threat level. Documenting important decisions on assurance and risk management will help you demonstrate compliance during ISO audits if you are accredited, and to the ICO should you suffer a data breach.
For a detailed overview of best practices read our Guide to Supply Chain Security.
Managing third-party suppliers – Gather data and risk assess
Put an Incident Response Team Together
You can’t begin to assess risk until you have all the information at hand. You will need to allocate this initial project with the right resource, put together a team of all departments and have the backing of the Board to ensure the working party has enough clout to ensure compliance throughout the business.
Create a Data Inventory
Firstly, you need to understand, what data you process, where it is stored, who has access to it, where it flows inside the business and crucially outside. You may already have this in the form of a data map, or an information asset register. It would be prudent here to review the data from both directions, by this I mean identify everything flowing out and where to, as well as collating all the third-party suppliers and working back to what data they have. You will need to identify the internal contact for each external supplier and give them a questionnaire.
Make sure you include data owners and systems owners in this process to get a complete view of data access and/or sharing with suppliers. Also, don’t forget that you may well already have a legal obligation to have a Record of Processing Activities in place as required under Article 30 of the GDPR and a data inventory will help with that.
Ensure Best Practice
Apply best practices throughout your supply chain just as you would for internal cyber security. Examples of best practices include classifying your data and having rules for the transmission of information of higher classification. Ensure third parties only have access to the data they require to carry out their role, keep access limited to relevant personnel and require multi-factor authentication for that personnel.
For those suppliers that you have identified as the highest risk, allocate more resources. Follow the steps in full, listed above. Ensure your contracts are locked down, have regular audits and include business-critical suppliers in your Incident Response planning and assurance exercises.
Want a free cyber security consultation?
With the increasing interconnection of business, managing third-party suppliers is becoming a complex and sprawling issue, opening further avenues of risk. Limited resource and the availability of adequate expertise around this subject is proving to be a key challenge. If you need support and direction in managing your third-party supply chain, call us for a no-obligation chat.
