Commencing with strategy and scope,
Security assessment will bring hope.
With impact and projections calculated,
Justification to the board will be validated.
Welcome to part 2, of “3 Compelling Reasons to Invest in Cyber Security”. In Part 1, I discussed assessing and prioritising your organisation’s risks as well as commencing a risk assessment.
Step 2: Understand Your Supply Chain
In part 2, I will discuss your organisation’s supply chain. Even if your organisation’s IT network is protected, your supplier may not be! Why should you encourage the board to take this into consideration? With today’s delicate economy, the stability of the supply chain is also under threat. An attacked supply chain can potentially be disastrous to profitability, business continuity, and compliance. For restaurants, a supply chain manager must ensure adequate fresh stock of all food. For a posh hotel, champagne must keep flowing. For organisations involved in healthcare, a breakdown in the supply chain (e.g. a shortage of medical supplies) may not only inflict damage to the organisation but also threaten human lives.
While a supply chain may be necessary, e.g. for outsourcing, it will also bring the following risks to your doorstep:
- Financial: Your supplier may encounter a situation which threatens their financial health.
- Reputational: Your supplier may engage in activity which negatively affects your brand.
- Cyber Attack: A breach to your organisation can occur through your supplier. Breaches from vulnerabilities in legitimate third-party software may also occur.
It is also important to consider that there a number of situations that may affect your supply chain and fall beyond your control:
- Natural Disaster: Your supply chain may be disrupted by an earthquake or other natural disasters.
- Man-made: Your supplier chain may be attacked from the inside, via a fire or explosion.
- Geopolitical: Your supply chain may be disrupted by political events, e.g. wars.
In January 2018, two vulnerabilities—Meltdown and Spectre—were discovered in processor chips. Meltdown enables hackers to bypass the hardware barrier between applications run by users and the computer’s core memory, which is typically highly protected. Spectre allows hackers to trick applications into disclosing sensitive information.
Similarly, as with analysing your organisation’s risks in step 1, analysis of your supply chain risks will take time and resources to complete. But it can command an additional investment when you meet with the board and discuss the suppliers’ impact on business continuity and profitability. It may even lead to winning new contracts for the additional security assurance you’ll be able to provide customers! Once obtained, this investment will improve your overall resilience and reduce the number of disruptions to your business. Therefore, your organisation will suffer less damage and it will have assisted with complying with GDPR.
Understanding your supply chain begins with identifying what assets (including information) need to be protected and why. What is the value of the assets held/accessed by the supplier? You must identify which supply chains are the most critical to the organisation, and weigh their value to the business. Then you must understand who your suppliers are, which suppliers may cause an unacceptable loss in the event of default, and which suppliers are single sources of essential products or services.
A supplier’s security controls will also need to be assessed. (You will need to rely on them to provide you with information about any sub-contractors). Do these controls comply with the security requirements that your organisation initially arranged with them?
In assessing the security risks posed by your supply chain, you could potentially discover a recipe for disaster for your organisation such as:
- Your security requirements were poorly communicated
- A supplier has failed a security audit
- The supplier has discovered a malicious insider
- The supplier’s logs have encountered data exfiltration
Identifying and understanding these supply chain risks form the essential foundation of your justification to the board for a security investment. Therefore, these supply chain risks must initially feed into the risk assessment, described in Part 1 of this article.
For step 3 and beyond, the information will be published shortly.