Muscle up! Steps to boosting your supply chain cyber security

 

From the February 2019 print edition

Open your browser, type “data breach” into the search text area, and then click “News”. On any given morning, the search might yield more than eight million results with headlines like: “…failing to take security seriously”; “passport numbers stolen…”; “… breaches affected more than a billion people in 2018.”

While headlines seem to get straight to the facts of a breach, the reality is often a bit more complicated. The details of what exactly happened or who caused the cyber incident are oftentimes challenging to uncover.
Indeed, most organization’s technology estates are a complicated, internetworked ecosystem of multiple technology service providers, partners, and suppliers, each adding their portion of product capability and service functionality. With each layer of additional functionality, opportunity is created for additional partners and suppliers to be added into the ever-growing technology connected ecosystem.
It is estimated that that as much as 50 per cent of a company’s IT operations and digital services are performed by third parties and delivered outside of the control of an organization’s technology team.
In parallel, there has been a significant growth in cyberattacks. In the Symantec 2018 Internet Threat Security Report, researchers found staggering results over the previous year: an 8,500 per

Kevin Richards is a managing director and global lead of cyber risk consulting at Marsh Risk Consulting.

cent increase in antivirus detections; a 40 per cent increase in ransomware infections, and an 88 per cent increase in overall malware variants.
Moreover, researchers noted they are “seeing an increase in attackers injecting malware implants into the supply chain to infiltrate unsuspecting organizations, with a 200 percent increase in these attacks.”
Given these trends, it’s imperative that organizations understand and manage the cyber risks within their organization’s supply chain.

Your supply chain vulnerabilities are your vulnerabilities
In the world of specialization, businesses rely on their supply chains to gain leverage, optimize costs and expand into new markets. With that, there is oftentimes the need to give direct access to customer files, process flows and perhaps share other key data elements.
Unfortunately, this also expands the footprint—or the attack surface—that an adversary may try to exploit to gain access to your data. The old adage that a chain is only as strong as its weakest link applies here. Your cyber capabilities are only as strong as your weakest supplier’s capabilities, and their cyber vulnerabilities are your vulnerabilities.

A deeper dive into understanding supplier cyber risk
Developing a deeper understanding of supplier cyber risk is critical to determining an organization’s overall cybersecurity risk. It may seem challenging to get started, but there are a few steps that can make the effort reasonable. Ask the following questions:

  • Do I have a complete inventory of suppliers and third parties with access to my data and systems? The first step to protecting your data and systems is knowing who has access to it and why. Identifying what information is being shared with suppliers and third parties and why they need that access enables you to understand how big, wide and deep your relationships go.
  • How do I expect these organizations to handle and protect my data and systems? Once relationships have been identified, it’s essential to develop and communicate a policy that your suppliers must adhere to in order to access your systems and protect your data. Also, determine what cyber insurance policies your vendors have in place should an issue arise.
  • How do I assure that my suppliers and third parties have the capabilities to protect my data and systems? After developing and communicating your expectations for data and systems protection, it is critical that your suppliers and third parties can demonstrate their cyber risk management capabilities. This needs to be more than a contractual exercise with a light technical questionnaire. It is important to aggressively test the supplier’s cyber risk management capabilities prior to allowing access to your systems and sensitive data. The adversary will be attacking aggressively, so understanding the supplier’s capabilities is extremely important.
  • How am I monitoring vendors to ensure they are meeting expectations? Real-time monitoring tools can flag problems experienced by particular vendors, such as active malware or bots coming from their networks. A formal review and assessment program should be put in place for ongoing or even continuous monitoring. Although this can be done annually as part of a standard compliance assessment, it is prudent to conduct these checks more frequently. Vendors that deal with more sensitive data, or for whom a large part of that relationship is based on data management, should likely be assessed quarterly.

Should an issue be identified within the assurance or monitoring activities, there needs to be a clear and urgently defined recourse with the vendor. To make the point clearer, your organization may also consider empowering your cybersecurity leader (for example, a chief information security officer or chief information officer) with the authority to suspend or even terminate suppliers that are unable to demonstrate that they can adequately safeguard your organization’s data and protect the larger supply chain ecosystem. This may seem extreme, but it is critical to being able to deliver successful corporate operations.
Supplier cyber risk management will be a growing investment and element of your organization’s overall cyber risk management program as your supplier ecosystem continues to grow. And while it may be challenging at first while the program is being developed, done properly, it can help manage a significant cyber-risk exposure area and ultimately work to keep your organization from being one of the eight million data breach search results.

This information is not intended to be taken as advice regarding any individual situation or as legal, tax, or accounting advice and should not be relied upon as such. You should contact your legal and other advisors regarding specific risk issues. The information contained in this publication is based on sources we believe reliable but we make no representation or warranty as to its accuracy. All insurance coverage is subject to the terms, conditions, and exclusions of the applicable individual policies. Marsh cannot provide any assurance that insurance can be obtained for any particular client or for any particular risk. Marsh makes no representations or warranties, expressed or implied, concerning the application of policy wordings or of the financial condition or solvency of insurers or reinsurers.