teissTalk host Geoff White was joined by Edd Hardy, Senior Vice President Cyber Security, AlixPartners; Marc Avery
Chief Information Security Officer & Founder, Cyber Chain Alliance; and Mike Campfield, VP, GM International Operations and Global Security Programs, ExtraHop.
Views on news
The Labour Party has confirmed that details of its members and supporters are among information affected by a ransomware attack at a company which handles the party’s data. As soon as the party was notified, it engaged third-party experts and the incident was immediately reported to the relevant authorities, including the National Crime Agency (NCA), National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO).
This, and similar cases, for example, where charities such as Save the Children and Human Rights Watch have been attacked through vulnerabilities in their fund-raising software indicate a new breed of cybercrime. Rather than simply exploiting a supply chain vulnerability, here cyber criminals find backdoors to an organisation through its data supply chain. It comes as no surprise that the frequency of this type of incidents is on the increase as more and more organisations outsource their data processing and management tasks to third parties.
Several questions arise with regards to the Labour Party ransomware attack. Did the third-party data services provider have a lawful basis for processing? (If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.) There is also a data ownership problem here. Although it’s a third party managing a business’s data, responsibility for data loss and breach will always lie with the original owner of the data – in this case, the Labour Party. You can’t outsource impact.
Effective ways of building assurance activities into managing supplier risk
Due diligence on suppliers comes with some tough decisions. In the case of Solar Wind, for example, the requirement to break the protected organisation’s security model to be able to install the security tool should have raised the red flag and should have led to a call for compensating controls or a switch to other suppliers. However, the practice of having only a single point of assessment of suppliers (before procurement gives the green light for the contract) makes it difficult for supply chain information security to adjust to changing postures of the company or its suppliers. Questionnaires are useful tools of supplier assurance with some caveats. First of all, the people assessing them, such as the legal or the procurement team, may not have the expertise to identify vulnerabilities and therefore many of them go unflagged.
Questionnaires can also get rather complicated and include hundreds of questions – many of them irrelevant to a particular supplier. Tailoring them to individual contracts can increase their effectiveness. A new approach to the buyer-supplier relationship could also go a long way. Rather than looking to find fault with suppliers, buyers should see procurement and regular supplier assessment as collaborative processes based on a partnership. As both of them have a vested interest in avoiding any type of reputational damage that comes with a breach, they should pull together rather than get pitted against each other by cybercrime. For suppliers, offering services with robust information security defences and being collaborative may generate a lot of referrals from their existing customers and therefore lead to better top line results.
The panel’s advice
With digital projects such as the deployment of cloud-based collaboration tools, for example, organisation’s main concern is how fast it can be done. A better approach from an information security aspect is to always allow time for due diligence to minimise the risk of future cyber-attacks. Always graduate your risks. You can’t have the same level of assurance with all your suppliers. Use the strictest criteria with those who manage your most critical data. When choosing your suppliers, keep the ones who didn’t make it in the first round for alternates if something goes wrong with the one you’ve selected. (In teissTalk’s ad hoc survey, 67% said they don’t keep shortlisted suppliers as a back-up if they aren’t the ones selected, while 33% said, they do.)
Don’t make your RFP (Request for Proposal) too stringent, or you’ll scare off your suppliers. To integrate information security criteria into the early stages of procurement, think of a worst-case scenario right at the start. Have an Incident Management Plan early on and make plans about what you’ll ask your suppliers to do if the worst happens.