In October 2018, Bloomberg Businessweek sent shivers through the business and intelligence community when it published an astonishing report that claimed that Chinese spies had exploited vulnerabilities in the US technology supply chain, infiltrating computer networks of almost 30 prominent US companies, including Apple, Amazon.com Inc., a major bank, and government contractors.
These claims were indeed alarming, but not surprising. Since the infamous 2013 Target hack, in which hackers exploited security weaknesses at one of its little-known suppliers and exfiltrated millions of payment card details, cybersecurity experts have been warning that expanding supplier networks would exponentially increase digital touch points, providing several softer avenues for threat actors to exploit and access high-value systems.
There is no dearth of high-profile examples. For instance, back in 2017, cyber threat actors compromised the Ukrainian software firm MeDoc and implanted NotPetya – a highly destructive malware – deeply within its software update. Like the mythical Trojan Horse, NotPetya easily exploited the trusted software package, circumvented layers of security defences and crippled critical operations of high-profile enterprises, such as pharmaceutical giant Merck, shipping firm Maersk, and Ukrainian electric utilities Kyivenergo, to name but a few.
It’s certainly hard to argue with the benefits of business partnering, given the decades of studies demonstrating that well-thought alliances can enable an enterprise to focus on its competitive advantages, as well as measurably boost its bottom line. But at the same time, the raging demand for transfer of utilities, goods and data, combined with the rapid intersection of cyber espionage and geopolitics, also has substantially complicated the cyber risk equation. Cyber threats exploiting weak supply chains are on the rise, like sea levels. The stakes are also invariably higher, threatening global peace and undermining the benefits of globalization and open markets.
While tightening cyber risk assurance within complex supply chains is certainly challenging, it’s not impossible. In the section below, we provide three practical recommendations for business leaders to maximize the value of outsource relationships, while minimizing associated risks.
Have the right security clauses
Underpinning any robust supplier security assurance program is formally documented and legally enforceable security contractual clauses. During the contract negotiation phase, business leaders must have a clear understanding of cyber risks associated with each relationship, and ensure appropriate clauses are agreed upon from the outset and baked into contracts. At a minimum, high-risk suppliers must:
- Provide independent assurance reports to attest the operating effectiveness of key controls, such as the SOC 2 Type 2 report, ISO 27 001 certification or Payment Card Industry Data Security Standard (PCI DSS). These should be provided at least annually.
- Provide the enterprise with the right to audit in the event of a systemic control breakdown or legal requirements.
- Demonstrably comply with applicable data protection and privacy laws, not engage subcontractors without express approval from the enterprise and only host data within approved jurisdictions.
- Adhere with applicable data breach notification laws, including notifying the enterprise, without unreasonable delay, of any data or privacy breach, as well as results of subsequent investigations.
- Engage an independent, suitably qualified firm to regularly conduct penetration tests on critical applications and fix material vulnerabilities within agreed SLAs.
The significance of getting this right from the outset is hard to overstate. Requesting security assurance reports later into a relationship is complex, and without legally enforceable clauses, suppliers will likely push back, leaving an enterprise with no recourse in the event of disputes or systemic control breakdowns. This too, however, has its challenges. For instance, large cloud service providers will unlikely agree to a “right to audit clause” with a medium-sized corporate customer. This comes down to leverage. Hence, it’s important to set realistic expectations upfront, as well as ensure that security contractual requirements are reviewed and signed off by the legal team and business owners.
Limit vendor remote access to the network
As we learned from the Target breach, suppliers with remote access to the enterprise network can present soft avenues for threat actors to exploit and gain access to the enterprise network, escalate privileges and cause substantial harm. To manage this risk, the enterprise must adopt the least privilege principle, only giving remote access when there is no other cost-effective way for the vendor to deliver their services. Such access must be restricted to specifically segmented zones, channelled via secure virtual private networks and protected via multi-factor authentication. Furthermore, an up-to-date list of all vendors with access to the network, including their respective access rights, must be maintained and validated frequently, at least quarterly.
Segment suppliers based on risk
The basic risk management principles also apply to managing supplier related cyber-risk: the rigor of assurance process should be commensurate with the criticality of business process, and the potential impacts should the outsourced business process be compromised. For instance, suppliers that handle high-value payment processes, handle volumes of customer personally identifiable data, manage critical infrastructure or underpin most profitable business lines require tighter governance as compared to those that handle ancillary services, such as administrative tasks. Taking a risk-based approach maximizes the value of the security assurance budget, as well as reduces needless audits on suppliers. It also reduces noise, enabling limited security resources to focus on supplier arrangements that present the highest level of risk instead of spreading thin across all supplier arrangements, each of varying level of significance.
The benefits of outsourcing are vast, but business leaders can no longer afford to enter into these alliances blindly. Cyber resilience is no longer a nice-to-have, but a top business imperative with far-reaching consequences on brand perception, customer retention, margin, regulatory compliance, and more importantly, business survival.
About the authors
Phil Zongo is the author of The Five Anchors of Cyber Resilience, an Amazon best-selling book that strips away the complexity of cyber security and provides practical guidance to business executives. His is also the 2016 – 17 winner of the ISACA’s Michael Cangemi Best Book / Article Award. Zongo is the Founder and CEO of CISO Advisory, a consultancy firm that helps enterprises build high-impact and cost-effective cyber resilience strategies.
Rohini Kuttysankaran Nair is an experienced project manager with more than a decade experience helping large enterprises deliver complex digital transformation programs. She now leveraging her strong technical background and project governance skills to help enterprises deliver business aligned cyber resilience uplift programs. She is based in Sydney, Australia.