Cyber security – is your supply chain putting your…

Many Irish organisations overlook cyber security threats from the supply chain. Partners, customers and suppliers can pose a serious risk to your business – you’re only as strong as the weakest link in the chain.
Organisations need to be connected to their supply chains in order to be responsive, competitive and profitable. This means high levels of integration at all levels – both commercially and through automated end-to-end business processes between customers, suppliers and sub-suppliers. Unfortunately, it also poses cyber security risks.

Evolution of cloud and increased cyber security threats

While acting as a business enabler and accelerator, cloud computing has also introduced a new set of supply chain links, posing additional cyber security threats and risks to organisations.

A recent survey from Marsh Insurance showed that 70% of large and medium-sized enterprises in the UK don’t assess their suppliers and customers for cyber security risk. Our experience in the Irish and Northern Irish markets reinforces this finding.

Many recent high profile international and local cyber security disasters, including information breaches, service outages etc., reportedly originated through the supply chain.

The widely publicised breach of retail giant Target last year was reportedly caused by a HVAC supplier, which was used to inject malware via phishing emails to Target customers. This resulted in the theft of more than 70 million personal customer records and 40 million credit and debit card details.

Damage of cyber security threats – more than money lost

High profile breaches have huge financial repercussions for businesses affected. In Target’s case, it was reported that quarterly profits dropped by almost 50%. The cost to banks and credit unions of reissuing more than 20 million debit or credit cards, meanwhile, was almost €200 million. [1]
It doesn’t end there. Cyber breaches can quickly become viral news stories, and the reputational damage can be irreparable. Customers find it hard to trust a business they feel has broken their trust – no matter where the breach originates. The buck stops with you, plain and simple.

Ireland case study – Loyaltybuild

These breaches are not confined to international organisations. The 2013 Loyaltybuild breach, which was investigated by the Irish Data Protection Commissioner (DPC), highlights the impact that a breach in the supply chain can have on major brands in the Irish market.
“Loyaltybuild Ltd. failed to implement adequate security measures to protect the data it held on its systems”, according to the DPC investigation findings². Meanwhile, some of the third party companies for whom Loyaltybuild were providing data processing services “were unaware of their role in the control of the data held on the Loyaltybuild Ltd’s systems”, also according to the DPC. [2]

Even simple traditional supplier relationships like cloud storage, cloud email, cloud DR/BC if not properly assured and managed, pose potentially serious threats to organisations using these services.

Protect your supply chain from cyber security threats

Here are eight recommendations to secure your supply chain:

1. Identify all of your information assets within the supply chain.
2. Examine your supply chain and identify who has access to information assets, the purpose of that access and if it is necessary.
3. Review your policies, procedures and controls to address supply chain risks to your information systems and data.
4. Perform a gap analysis identifying gaps that you have in all of the above.

1. • For example: No policies for outsourced data retention, no contracts in place between you and the provider for data retention or data processing

1. Put a work programme in place to address these gaps on a priority basis.

1. • For example: Identify the issues that pose the biggest risks – i.e. the ones that would have the greatest negative impact on your organisation.

1. Implement an Information Security governance, risk management and operations framework to ensure that your supply chain data security is manageable. Include a holistic information security management system (ISMS) for your organisation
2. Audit your supply chain to ensure compliance. Ward advises clients to formally request an independent audit of their service regularly. Ideally, these audits should be benchmarked against a relevant verified standard:
   • For example: OWASP for software; ISO27001 for general info security; PCI/DSS for payment processing; and Data Protection legislation for data processing
3. Incorporate a holistic incident detection and management process to detect anomalies or non-conformance to your information security throughout the supply chain. Once these have been identified, agree to a response plan with your supplier.

We highly recommend that Irish organisations seek the help of experts to ensure these standards are being met and that they are not at risk of cyber security threats from the supply chain. Want to know more? Contact Ward Solutions today.

[1] c.net.com, Feb 18 2014 – Target hack strips banks and credit unions of $200M
[2] Data Protection Commissioner, Feb 1 2013 – Case Study 14: Data Security Breach at Loyaltybuild Ltd.