The SolarWinds supply chain attack of 2020, in which malware-laced software updates were deployed to infect the networks of multiple companies and government agencies, and enable access for cyber trespassers, was a wake-up call for organisations of all sizes. It highlighted how quickly trust in a supplier can be eroded, even through a routine activity such as a software update – part and parcel of any software ecosystem.
With cyber security risk in supply chains an agenda item in many boardrooms in 2023, we sat down with CommBank’s Cyber Leadership to ask for their thoughts on how businesses can manage supplier security risk.
Q: What are we talking about when we refer to supplier security risk?
We’re referring to the risk of a negative impact to an organisation’s business or information assets due to a supplier suffering a cyber security event, such as a data breach or ransomware attack.
It’s particularly pertinent nowadays because organisations of all sizes are increasingly entrusting critical systems and data to suppliers, especially in an environment where more applications and information are being moved to the cloud. In this process, it can be easy to fall into the trap of believing that when you’re handing over data to suppliers, you’re also handing over accountability for its security. This is not the case, and many businesses have learnt this lesson too late.
When assessing supplier cyber security risk, we need to consider not just the implications of our suppliers losing our organisation’s data, but also the operational impact if the suppliers’ service were to become unavailable due to a cyber attack.
Q: Can you describe some notable breaches with potential suppler risk implications?
Although it was some time ago, the Target US breach in 2013 is still referenced when highlighting issues around supply chain risk. In that case, credentials were stolen from Target’s heating, ventilation and air-conditioning system provider. The attacker used those credentials to access and move laterally across Target’s network, installing malware on nearly all Target point-of-sale devices and gaining access to tens of millions of customer records and credit card numbers.
This breach showed how granting supplier access to the network, even for something as benign as air conditioning, can become a significant risk in certain circumstances.
More recently, the SolarWinds incident, which Microsoft described as the "largest and most sophisticated attack the world has ever seen", has really highlighted a new dimension of supply chain risk. In this case, hackers breached SolarWinds’ systems and infected one of their software products with malware that was then rolled out to thousands of their customers worldwide, putting many companies and government organisations at risk.
In both of these cases, while the vendors weren’t custodians of their clients’ sensitive data, the breaches they suffered nevertheless put their clients’ data and businesses at risk. This highlights the need to take a broad view when assessing the risk vendors pose.
Q: What sort of changes have you observed in the supplier risk space in the past couple of years?
There has certainly been an increase in the volume of suppliers experiencing incidents, and in our industry, for example, we’ve seen this fittingly result in an increasing regulatory focus on supply chain management. That has led to some innovative thinking with respect to due diligence processes.
There is a growing need for more rigorous vetting of suppliers, not just taking them at their word when they explain how sensitive information is protected, but going two steps further and actually verifying that those controls are in place and are operating effectively.
Another evolution we’ve seen in recent years, is the need to broaden the picture of our ecosystem beyond just our suppliers as it’s become apparent that, in fact, a cyber attack or breach to any other third-party in our system where there’s shared customers or other interests, has the potential for adverse outcomes for our business and our customers.
Q: What are some of the things businesses need to be aware of when dealing with suppliers?
The first thing to assess is the inherent risk posed by a supplier.
Things to consider include:
- What type of data are you providing to the supplier and in what quantities?
- What would be the impact to your business if the supplier’s services were unavailable due to a cyber attack?
- What sort of connectivity does the supplier have to your corporate network?
Then you need to ensure you conduct due diligence commensurate with that risk. When doing that vetting, you might consider:
- How well is a supplier securing your data and how can you verify this?
- How robust is the supplier’s information security management system? Does it cover things like malware protection, data encryption, vulnerability scanning and patching as well as we would expect?
- How well is the supplier equipped to deal with a cyber incident and what would the process be, in terms of communication between the supplier and your business, in the event of such an incident?
Q: How can you start to manage these considerations?
Managing supplier risk through the lifecycle of the relationship is important. This begins with thorough due diligence when evaluating and vetting prospective suppliers and extends to onboarding the supplier, ongoing regular management and then off-boarding.
'Baking' cyber security obligations into contractual arrangements upfront means expectations are clear with respect to minimum security safeguards being in place and what the vendor’s obligations are in terms of notifying your organisation of cyber incidents.
The goal should ideally be full transparency and disclosure when it comes to potential security weaknesses and any risk mitigation and control remediation to be undertaken. However, this requires a degree of trust and maturity in the relationship that can take time to develop.
Ultimately, if suppliers aren’t willing to engage in dialogue or share where they have cyber concerns or incidents, as a business you could be left exposed to an increased level of risk.
Approaching supplier cyber risk management as an ongoing activity of due diligence to be regularly reviewed is another healthy attitude to adopt.
There are also a number of assumptions that it’s important to steer clear of. For example, don’t assume your business is uninteresting to a cyber attacker and therefore immune to the type of activity that could potentially cripple your operations. You also should not make any assumptions regarding how well your suppliers are securing your information.
And if you’re a supplier who finds yourself under increasing scrutiny as your customers adopt more rigorous due diligence, understand that this is actually an opportunity to shore up your defences to avoid the financial, emotional and reputational damage a cyber attack could inflict on your business.
Your customers are asking for transparency and the ability to proactively manage any particular cyber security risks to their organisation.
Any other considerations?
- Prioritise your business’ suppliers so you know where the highest risk is and can develop a commensurate risk management approach. The Australian Cyber Security Centre's (ACSC) guidance on supply chain risk says that "cyber security expectations should be justifiable, achievable and proportional to the information being entrusted [to them] or the role that their products or services play in an organisation’s systems".
- Make sure your business has business continuity plans in place to be able to swiftly respond and recover if for any reason the supplier isn’t able to provide the service.
- Write plans for how you’d manage a supplier incident if one were to eventuate, such as how stakeholders, including customers and employees, would be communicated with.
- Keep an inventory of the suppliers in your ecosystem and rationalise where possible if you have multiple suppliers providing the same thing in order to reduce the risk and overhead. Also consider whether your suppliers are using sub-contractors and the risks that these ‘fourth parties’ pose.
- Look for independent reports that some suppliers procure about their cyber security posture. Many cloud providers have these that can save time when doing due diligence.