How to mitigate third-party digital risk
PGI's Information Assurance team shares the vital information your organisation should consider when onboarding suppliers.
Every organisation is facing a myriad of third-party digital risks; whether that’s criminal-led (the most common), state-led, hacktivists or commercial espionage driven. The list goes on, but regardless of the type, one of the main areas that consistently comes up as a weak point in defences is supply chain management.
NotPetya. Solarwinds. Blackbaud. You’ll recognise these because, in some form, threat actors made use of their vulnerabilities to access or disrupt their customers’ systems. Supply chain attacks are becoming more common and the consequences can be direct or indirect:
Direct: Attackers use your supply chain as a starting point to access your customers, leading to an attack on your own organisation which is operationally and financially disruptive.
Indirect: Where part of your supply chain becomes a victim of a disruptive attack itself, disrupting or degrading the provision of its services to you; therefore, disrupting your own service provision.
The primary risk comes from any part of the supply chain that has direct connectivity into your organisation’s architecture or where data/connectivity into your organisation is readily accepted. Here are some examples:
Software updates: NotPetya being the most well-known consequence of this, SolarWinds being a more recent example. This is by far and away the increasing trend in supply chain attacks – largely due to the explosion of SaaS and the efficiencies they bring to an organisation.
External connectivity: There is still no better example of this than Target where attacker access was obtained via the Air Conditioning System (which was connected to Target’s core IT system to allow remote control and troubleshooting).
Suppliers who have a large market share who are most attractive to attackers. The market share of JBS and Colonial Pipeline created yet more pressure on the victim to pay to restore services, because of the critical role they play in the supply chain.
Equally, there are suppliers who represent a level of criticality. For example, any organisation which has suppliers that are also suppliers to organisations in Ukraine, Belarus and Russia should expect to see the services from those suppliers degraded as they become victims of digital disruption as a casualty of geopolitical conflict.
Digital supply chain risk is a core business risk, but invariably cyber risk is managed or heavily dominated by IT whereas the supply chain risk is managed elsewhere (as such, many organisations score poorly on supply chain security controls).
Where organisations do have ‘cyber risk’ on their Risk Register – it is considered an independent risk and rarely intersects with other risks. This means there is often no internal mechanism to identify and measure the risk let alone treat it.
Every organisation really should have a system of categorising their supplier risk, based upon the criticality of services and the level of risk represented. This is something we routinely do for our clients, and it is a relatively simple measure to introduce (provided the internal cross-departmental communications work, of course).
The next step is setting the security standards for suppliers based on their risk category. In the UK, for example, there is a myriad of established, recognised and independently validated controls regarding technical and procedural security processes ranging from the most basic (Cyber Essentials) through to the more comprehensive (ISO 27001).
If you have a degree of control, you can either stipulate that your suppliers can demonstrate/obtain that recognised standard before contract award or you can make a policy decision that you will only trade with organisations that already demonstrate the right level of accreditation for the risk category they belong to.
Other considerations include:
Contractual liability: Standard T&Cs can easily be reviewed. This is particularly the case when organisations contract out their IT provision. It is imperative that Managed IT Services have built-in SLAs around IT Security – particularly around patching schedules.
Insurance: Insurance is always a risk mitigator and the cyber risk is no different. While it doesn’t necessarily stop an incident from happening, it can mitigate some of the financial impacts if it does.
There are, however, several pitfalls, such as understanding the extent of cover where the access point has been via a third-party (and the extent to which that third party has their own insurance cover).
Most importantly, with a particular eye on the global security situation, it is worth understanding the exclusions. Mondalez vs Zurich saw Zurich refuse to meet a >100m claim following NotPetya because it was judged to have been attributable to the Russian State and constituted an ‘Act of War’ and was therefore excluded.
Geopolitics: If your supply chain is based abroad or conducts a significant part of its business abroad, the risk management process should consider any geopolitical risk that may affect the digital security of your suppliers, directly and indirectly.
For example, all organisations should be reviewing their third-party digital security risk if their suppliers are based within the Russia/Ukraine conflict zone or have significant trade links in the region.
There are many technical measures that can be put in place; but here are three key areas:
Shadow IT management: Shadow IT is an increasingly common issue where departments outside IT procure and download software for their local use without the knowledge of the IT department.
These can range from security software to communication tools. A full audit of these and maintaining an up-to-date inventory and an agreed procurement policy will reveal vulnerabilities that supply chain hackers can take advantage of and will allow a vendor’s security posture to be a consideration.
Authorised software: Build policies that determine if an application is allowed to run. If the code of the application raises a red flag, the system blocks it.
Maintaining a strict set of code dependency policies can limit the number of supply chain attacks your company encounters. Allow-listing software is a good practice and ensures that only approved software can run on the system.
Limit third-party connectivity: Some third parties have a legitimate business need to connect to a client’s infrastructure.
However, this connection needs to be configured in a way that limits named user (with additional authentication tools) access and segregates that access from other unnecessary parts of the business.
All organisations should have an Incident Response Plan as well as a Business Continuity or Disaster Recovery Plan based upon a cyberattack scenario, regardless of the supply chain risk. If your organisation doesn’t have these, then they need to be on top of the priority list.
It’s also important to be prepared; it is worth exercising with a third-party (even if it’s just table-top) a scenario where the third-party represents the attack vector.
Trying to run an Incident Response with a third-party and understanding where responsibility for what, is a nightmare without preparation and delays effective recovery. And remember, throughout the Incident Response, each party will want to gather evidence to be able to protect themselves against liability claims or insurance claims.
PGI offer a range of services to help you gain a deeper understanding and more control over your supply chain management, including Cyber Assurance as a Service, which enables you to call on a full team with specialist expertise for your information and cyber security requirements. This knowledge includes carrying out supply chain security audits and helping supporting you to prepare your incident response.
If you’re ready to take more control of your supply chain, talk to us: Call on +44 20 4566 6600 or email via email@example.com
Over the years, we have developed a range of content with the aim of educating organisations on cyber security threats and helping them defend their assets and reputation, so for us every month is Cyber Security Awareness Month.
On 26 September, Semafor published a lengthy article written by Jay Solomon claiming that a series of Iranian-American analysts and advisors to the Biden administration had been compromised as part of a long-running Iranian influence operation.
These days, there seems to be a variety of digital technologies on the horizon that are poised to disrupt the way we live our everyday lives.