It may surprise you that up to 80% of IT security breaches may originate in the supply chain. Some of the most high-profile hacks were at Target, Home Depot, Sony, Sears and JP Morgan Chase. The scale of the hacks are staggering. The Home Depot hack involved the compromisation of 65 million customer accounts and JP Morgan Chase had an impact on 7 million businesses. Perhaps the most interesting was Target, not only did the hackers gain access to the personal information of some 70 million customers but the manner in which they did so is illuminating. They breached security by stealing network credentials from Fazio Mechanical Services, a provider of heating, ventilation and air conditioning (HVAC). How did they steal them? By stealing credentials from a supplier to Fazio. So at two removes Target was compromised through its supply chain. The other noteworthy point was that this was a HVAC supplier, what could have been stolen if it was a firm of external auditors doing work in Target, or a management consultancy – a corporation the size of Target surely had a few management consultants working on something at any one time. Or even more lethal, the law firm(s) used by Target.
Without a clear understanding of your risk and proper precautions, your organisation might be more exposed than you think to the risk of a cyber-security incident. In the new age of GDPR and the NIS Directive, there is a new onus on organisations to mitigate risk in their supply chain, or be scrutinised by the regulator. Recent breaches and security incidents at several service providers have highlighted this growing risk and the importance of taking pre-emptive measures to protect your business. So much of the digital world these days relies on the supply chain. The supply chain is a network of interdependent companies powered by high-speed online data exchange. Often automated, the supply chain is a seamless and invisible exchange of goods and services, it works brilliantly until you realise the inevitable security gaps and cyber risk it creates.
Recent news stories have highlighted this. The large Australian recruiter PageUp, was breached earlier this year. Data such as names, email and physical addresses, telephone numbers, dates of birth and employment details were all stolen. Household brands like Telstra, Aldi, Lindt, Costa Coffee and Premier Inn were also hit as a result of this single breach. Often these incidents involve hackers directly attacking a supplier’s systems, or the supply chain risk comes from coding errors by a development partner. Even the NHS was exposed after an error made by the developer TPP meant that patient preferences regarding use of their personal data weren’t recorded, 150,000 were affected by this privacy scandal.
Supply chain attacks are notoriously difficult to prevent when targeted, it’s not easy stopping a determined attacker. It’s even been said that “when done well, supply chain compromises are extremely difficult (and sometimes impossible) to detect.” Supply chain risk is therefore a growing concern, but what can organisations do to ensure a more secure supply chain? The GDPR and NIS Directive are both clear that measures taken to prevent this risk should be a priority. GDPR places responsibility for breaches on both data processor and supplier, ensuring that firms cannot simply blame the outsourcer for an incident. Meanwhile, the NIS Directive states that “Regardless of your outsourcing model the OES [operator of essential services] remains responsible for the security of the service and therefore all requirements from NIS flow down.”
So what can be done? GCHQ claims that organisations should mitigate supply chain risk by:
These checks also ensure compliance with the GDPR. Understanding where data is flowing, who is using it, and what security controls are in place in your supplier organisations are key. Contracts must be revised to record this and ensure that baseline security you’re happy with is in place. Regular audits will be needed going forward. Best practice frameworks like ISO 27001 can help in providing assurance.
Unfortunately supply chain risk is an inevitable part of our modern digital world. Organisations may historically have taken for granted the seamless connectivity of the supply chain. It is worth noting that none of the aforementioned attacks took place in the public cloud such as Azure or AWS. They were all private cloud or on-premise IT setups.