Javvad Malik, security advocate at AlienVault, explores how organisations can protect themselves against the risks in their supply chain.
Business models have changed enormously in recent years. The potential for companies to be ‘born in the cloud’, without requiring any of the old brick-and-mortar infrastructure, has been a great equaliser, allowing startups to compete with global multi-nationals. However, while third-party suppliers and service providers can allow companies to be more innovative, create new products, and level the playing field against larger competitors, they can also leave businesses vulnerable to cyber threats if the environment is not properly managed. So how can organisations protect themselves and their supply chains in today’s digital business environment?
All businesses face inherent risks, but the nature of these risks have changed as our ways of doing business have evolved from the physical to the cyber realm. It’s not just that risks have shifted online, but that businesses today have a much larger dependency on third-party providers and suppliers than they’ve ever had in the past. Take, for example, the Dollar Shave Club, which was acquired by Unilever for $1bn in July 2016. The business revolved around providing reasonably-priced blades that were conveniently delivered to a user’s doorstep. Amazon Web Services (AWS) made it affordable and easy to scale the company’s business model and allow them to compete with larger, more established rivals; however, this also gave the company critical dependencies on third-party service providers like Amazon, couriers and Facebook. Very little of the company’s risk derived from its in-house systems; if any one of their third-party partners had failed, or not delivered on their part, then the business may not have been able to succeed.
Third-party dependencies are not hypothetical risks. While suppliers can allow companies to be more innovative, there are many dangers and risks that manifest within this ecosystem. In recent years, there has been a spate of scandals involving supply chain security. In August 2008, a bank’s customer data was sold on eBay because a third party didn’t dispose of equipment in accordance with policy. In December 2013, US retail giant Target suffered a data breach that resulted in 70m credit card records being stolen. The attackers were able to breach Target via a third party HVAC provider. In November 2014, US DIY store Home Depot disclosed a breach perpetrated by hackers who initially compromised the system using credentials stolen from a third party vendor.
So how can organisations protect themselves against the risks in their supply chain? Third-party suppliers and service providers remain an essential requirement for any business – and particularly for digital startups, which tend to rely on third-parties more heavily than established businesses – but the risks need to be understood and managed accordingly. Here are some of the key points to consider:
Business impact assessment
Have a business impact assessment in place to understand what level of dependency is being placed on the third-party. The more critical the role it plays in supporting the business, the greater the risk.
Knowing your partners
It’s essential to keep an up-to-date and accurate record of all business partners and the role they play. Relationships change over time and it is important this is updated whenever the role changes, not just when the partner is initially engaged.
Policy and legal
It is important to have a security policy documented for third-parties that explains what is expected of them, how company data should be handled, and what needs to happen in the event of an incident. Legal counsel should be sought in order to ensure that the terms of this policy are legally binding and enforceable.
Communication and education
Clearly communicating security needs with partners is vitally important. Some third-parties may not yet appreciate the need for security, so an element of partner education should also be considered.
Ensuring that technical controls are in place is particularly important when a third-party has direct access to your systems. While the existence of certifications or audits goes some way towards providing assurance, gaining technical assurance via penetration testing, vulnerability scanning, or deploying monitoring controls in the partner environment can also help identify weaknesses.
Appropriate threat intelligence can be very useful in understanding attack vectors, and identifying where and how a third-party may have been breached. Keeping abreast of leaked information offered for sale in underground web forums can also help pinpoint a weak control.
Incident response planning
A joint incident response plan should be put in place to clearly map out roles and responsibilities in the event of an incident involving a third-party. These can include a delineation of technical controls, such as isolating critical environments, PR and media communication plans, and/or the process for ending a third-party service, if necessary.
Third-party suppliers are critical elements that contribute to the success of many companies in the digital era. But with opportunity comes risk, and if these relationships are not managed effectively, they could derail startups on their route to success. It is therefore vitally important that companies understand the risks that lie within their supply chains and take appropriate steps to protect themselves.