Alan Calder, Chief Executive of GRC International plc, parent company of IT Governance, discusses the increasing issue of cybersecurity in the supply chain sector and how companies can counteract the threat to meet the challenge head-on. Research from Ponemon Institute indicates that cybersecurity is a growing supply-chain challenge, with 56% of organisations reporting to have had a breach that was caused by one of their third-party vendors. As the supply chain becomes increasingly more connected through digital transformation, the exposure to potential cyberattack increases. There is, therefore, a critical need for organisations to effectively secure their supply chain ecosystems and mitigate risk as much as possible. The supply chain is the backbone of an organisation but just one broken link in the ever-complex supply chain can send shockwaves throughout the rest of the associated suppliers and potentially leave the entire operation exposed to attack.
A dynamic supply chain is essential in the modern industry, but each new supplier only adds to an organisation’s vulnerability in terms of security. Following the Equifax hack, both Visa and MasterCard alerted that 200,000 credit cards may have been compromised as a direct result. Every third-party supplier along the Equifax supply chain was consequently exposed to increased risk. Equifax subsequently published a report following the data breach to raise awareness of threats caused by supply chain security. The report found that 32% of businesses don’t know where all of their third-party suppliers store personal data and 25% of businesses who have experienced a breach believe the third-party supplier would be accountable for the data breach response.
The Information Commissioner’s Office (ICO) is responsible for how GDPR is implemented and enforced in the UK. One of the core principles of why it was introduced into law was to provide greater transparency and visibility for data protection. When GDPR came into force in May 2018, it introduced compliance requirements that also extends to suppliers. The ICO states that if a third-party supplier suffers a personal data breach involving personal data controlled by another organisation, and it does not inform the data controller of the incident promptly, then they are putting the data controller at risk of breaching their obligations under the GDPR. So, whilst organisations may have internal GDPR compliance policies in place, can the same be said for all of their suppliers?
It’s important for organisations to take control of security auditing, and understand what data suppliers hold on file, where it is stored and who has access to it. By following this process for every supplier, businesses can proactively limit their exposure to risk and not just assume that each supplier's compliance policies will go far enough. Data processing is prone to human error and is subject to misinterpretation and rarely updated, therefore, data quality checks and data flow mapping plays a crucial role in providing supply chain and cybersecurity assurance.
The vetting of third-party suppliers has become a much more arduous process as risks to security must be thoroughly evaluated – and rightly so. Examples such as the attack on the freeware utility CCleaner led to at least 18 other companies being targeted in one campaign. Fortunately, on this occasion, the attack was quickly exposed and counteracted, but it still set a precedent for future supply chain attacks.
Many organisations are now placing greater emphasis on internal cybersecurity measures, as demonstrated by the fact that cybersecurity and risk management is second only to IT automation when it comes to priority initiatives that organisations are planning to invest further in during 2019. With high profile cyberattacks often a daily occurrence in the media, more organisations are viewing data breaches and the protection of personal data as an important part of business risk. This is encouraging news, however, within a complex supply chain it is possible that security can potentially be compromised by just one supplier that has left a hole in their defences. While no organisation is immune from cyberthreats, effective supplier management in terms of thoroughly screening new suppliers, vetting practices and procedures, limiting access to data and undertaking frequent security auditing, can ensure that the compliance standard of the supplier meets the needs of the organisation and mitigates risk.
Organisations should be diligent in verifying the security practices and procedures of third-party suppliers, vendors and partners in order to reduce threats and minimise risk. Independent certification to a framework such as the information security standard ISO 27001, the industry best-practice for information security, is now becoming a more prevalent requirement for obtaining certain contracts, especially those involving public sector contracts and other critical industries, such as the financial services sector. Certification to standards and schemes such as ISO 27001 and the UK Government-backed Cyber Essentials scheme allow organisations to provide their suppliers with the assurance that they have taken a baseline approach towards cybersecurity.