Last year, a study into third party data risk found that of the of 1000 CISO’s surveyed across the US and UK, 59% of companies had experienced a data breach. According to the Carbon Black 2019 Quarterly threat report, 50% of attacks occurred throughout the supply chain, a method termed ‘Island hopping’ in the US. A further study in 2019 by the UK Government’s Department of Digital Culture and Media found that of the 2000 plus UK businesses and charities surveyed. The supply chain is increasingly being targeted by cyber criminals so why are we so weak at managing third party suppliers?
“fewer than one in five businesses (18%), and around one in seven charities (14%), require their suppliers to have, or adhere to, any cyber security standard or good practice guides”.
Reasons for weak supply chain management
It’s impossible to do business nowadays without relying on a wide range of third parties for myriad services and the supply chain is an obvious weak link for hackers looking to target companies with valuable data sitting further up the chain. When interviewed, UK companies cited similar reasons to explain why managing supplier risk is a real challenge, these were;
- Lack of awareness
- Lack of capability & resource
- Lack of perceived responsibility for suppliers’ own actions
- Not knowing what questions to ask
The UK government report states that it is still relatively uncommon for organisations to systematically consider the cyber risks in their supply chain. Lack of resources and ignorance were two major themes that came out of interviews to explain this. It’s easy to assume that lack of resource is a problem for smaller companies, however it’s just as relevant for large organisations who will likely have a greater number of suppliers in a variety of locations.
Ignorance on the subject is more concerning. Did you know that in relation to securing Personal Data (one of the key motives for cyber-attacks), having suitable supplier management controls in place with data processors is a legal obligation under Article 28 of the GDPR? Even if you do already know this, the survey reveals that a significant number of businesses are in the dark here. Many UK companies could be blindly heading towards a cyber security incident and subsequent data breach and not realise that they are non-compliant with the law. Let’s not forget that with the new powers of the GDPR behind it, the ICO could issue a fine of up to £17 million or 4% of annual turnover whichever is greater.
Steps to managing third party suppliers
In an ideal world you would take these steps in supplier due diligence:
- Request assurances about suppliers’ practices – with evidence.
- Ask suppliers to complete a security assurance questionnaire which asks about their approach to risk management and the technical and organisational controls they have in place.
- Insist on minimum compliance requirements, such as Cyber Essential Plus or ISO 27001 certification. Organisations often claim to be ‘aligned’ to a standard – ask for proof if this is the case.
- Put a contract in place that sets out minimum security measures that must be implemented with indemnities for a cyber incident or data breach.
- Carry out external audits of key or high-risk suppliers.
But it’s not an ideal world and resource will always be restrictive. The situation will be the same for SME’s at one end of the scale, who might not even have a dedicated CISO, to multinationals at the other end of the scale that have literally thousands of third-party suppliers across different continents.
The key is to manage risk and prioritise those suppliers which pose the highest risk in terms of the data they hold and subsequent cyber threat level. Documenting important decisions on assurance and risk management will help you demonstrate compliance during ISO audits, if you are accredited, and to the ICO should you suffer a data breach.
Managing third party suppliers – Gather data and risk assess
Put a Team Together
You can’t begin to assess risk until you have all the information at hand. You will need to allocate this initial project with the right resource, put together a team of all departments and have the backing of the Board to ensure the working party has enough clout to ensure compliance throughout the business.
Create a Data Inventory
Firstly, you need to understand, what data you process, where it is stored, who has access to it, where it flows inside the business and crucially outside. You may already have this in the form of a data map, or an information asset register. It would be prudent here to review the data from both directions, by this I mean identify everything flowing out and where to, as well as collating all the third-party suppliers and working back to what data they have. You will need to identify the internal contact for each external supplier and give them a questionnaire.
Make sure you include data owners and systems owners in this process to get a complete view of data access and/or sharing with suppliers. Also, don’t forget that you may well already have a legal obligation to have a Record of Processing Activities in place as required under Article 30 of the GDPR and a data inventory will help with that.
Ensure Best Practice
Apply best practice throughout your supply chain just as you would for internal cyber security. Examples of best practice include classifying your data and having rules for transmission of information of higher classification. Ensure third parties only have access to the data they require to carry out their role, keep access limited to relevant personnel and require multi-factor authentication for those personnel.
For those suppliers that you have identified as the highest risk, allocate more resource. Follow the steps in full listed out above. Ensure your contracts are locked down, have regular audits and include business critical suppliers in your Incident Response planning and assurance exercises. We have further information on Incident Response planning here.
With the increasing interconnection of business, managing third party suppliers is becoming a complex and sprawling issue, opening further avenues of risk. Limited resource and availability of adequate expertise around this subject is proving to be a key challenge. If you need support and direction in managing your third-party supply chain, call us for a no-obligation chat.