The $18.5-million cyberbreach of US retailer Target remains the highest-profile attack originating in the supply chain but, with the convergence of digital and physical worlds, worse is to come. Damage to digital assets, whether leaked customer data or a disabled website, is bad enough, but a breached supply chain potentially has real-world consequences of hospital closures and compromised power stations.
Supply chains are the starting point for 80 per cent of all breaches, according to the SANS Institute, with the smallest players in the chain typically representing the weakest link. Verizon’s Data Breach Investigation Report found that 92 per cent of attacks were against small and medium-sized businesses, targeted because “they are more vulnerable, represent a single point of failure or have disproportionate access to important information within a supply chain”.
For the motivated and astute cybercriminal, supply chains are a rich hunting ground for valuable intellectual property
For the motivated and astute cybercriminal, supply chains are a rich hunting ground for valuable intellectual property. “These data are the crown jewels of any manufacturer, distributors and logistics firms: designs, processes, plans and techniques, contain the necessary insights for a competitive advantage in global supply chain,” says Josh Mayfield, director at cybersecurity supplier FireMon.
As well as providing rich pickings in their own right, third-party suppliers provide an easy route to a bigger target, as the SANS Institute’s Combating Cyber Risks in the Supply Chain points out: “Third-party suppliers may have fewer security controls in place than host organisations, making them easier targets of an initial attack. Once breached, attackers can leverage access as an ingress point into their ultimate target.”
Despite the inherent dangers, modern businesses are busily constructing ever-wider and deeper supply chains. Winners in the digital economy bring products to market faster, scale on a sixpence and innovate constantly. Meeting this need are supplier ecosystems cobbled together out of drop boxes, cloud-based applications, industry platforms, as well as email. But these expansive ecosystems are also creating a giant security headache.
Daisy-chaining third and fourth-party suppliers introduces multiple intersections and weak points, and makes practices and procedures along the chain opaque. Mergers and acquisitions present known risk, but ad hoc purchases by employees, or shadow IT, make risk invisible. “Anyone in the business can purchase a cloud service on a credit card and circumvent risk management procedures,” says Andrew Barratt, managing director of cyber-advisory Coalfire.
Compounding supply chain vulnerability is the misplaced belief that tech providers and their products and digital services are infallible. Defence contractor Lockheed Martin was undone by this assumption when hackers gained access to the company’s network via SecurID devices, supplied by security specialist RSA. Once compromised, the third-party devices gave hackers access to sensitive corporate and government data.
Rik Ferguson, vice president of security research at Trend Micro, names four avenues used to attack the supply chain: the code, the people, the implementation – how digital services or product are installed or configured – and the hardware. The latter, he says, is perhaps the biggest vulnerability as it is commonly unprotected. A light bulb or camera, for example, can be easily hacked once it becomes a data sensor on a network.
A big uptick in projections for the internet of things (IoT) will only add further vulnerability to supply chains and Gartner forecasts 21 billion devices will be connected to the internet by 2020. “Vendors of IoT devices do not worry about security; it’s an afterthought. They focus on being first to market,” says Mr Ferguson, who points out that it is hard to retrofit security on to an unmonitored black box.
Visibility is a first, crucial defence of the supply chain and “what you see is what you check” is a guiding principle of cybersecurity specialists. Cyber-risk management adviser Coalfire recommends a thorough audit of the entire supply chain and, for high-risk clients, periodic spot checks. These also bolster strategic relationships, and foster good security behaviour and mutual vigilance, says Coalfire’s Mr Barratt.
Ensuring a cohesive approach and extending good housekeeping across the entire supply chain can create a useful business version of neighbourhood watch. But contractual protection and compliance with current and incoming legislation are also playing bigger roles in shoring up leaky supply ecosystems. Stephen Ridley, lead underwriter at Hiscox, warns that using a tech provider doesn’t absolve the business-user of responsibility.
He cites a tech client that was the supplier of a booking system, which sent out email confirmations. It was discovered that an error in coding led to confirmations being made publicly available on the internet. While this incident didn’t lead to an operational catastrophe, the mere fact of a data breach did lead to a sizeable claim, reports Mr Ridley, who reiterates: “You can outsource the processing of data, but not the responsibility.”
Putting contractual protections in place, including professional indemnity to cover human errors and omissions, mitigates this ever-present risk. Increasingly though, says Mr Ridley, blue chips are making it mandatory for supply chains to carry specific cyber-insurance policies. “This doesn’t just cover the legal costs of a law suit; it also funds the IT and legal experts who have to immediately step in and manage the situation,” he says.
Such insurance becomes even more relevant when the European Union’s General Data Protection Regulation (GDPR) kicks in next May. A 72-hour notification clause makes it obligatory for all organisations, not just telcos, to report breaches. GDPR also encourages a cyber-mindset by mandating implementation of appropriate technology and organisational measures, and hiking up fines for breaches.
Together, these measures help mitigate real-time, evolving risk in the supply chain, says Emma Wright, partner at technology law firm Kemp Little. “Data protection is not a tick-box exercise; efforts must reach the top levels of a company with a continuous flow of information between people on the ground and the boardroom. Data protection must be engrained in corporate culture and is not complied with once then filed away,” she warns.
As legislative machinery endeavours to protect real-time, always-on 21st-century supply chains, digital innovation creates new ways to access competitive advantage. Cloud-based industry platforms will increase five-fold, says Greg Day, chief security officer for Paolo Alto Networks. Mr Day warns that responsibility for data and applications rests with users. “Conversations tend to focus on investment and returns; security is usually not front of mind,” he says.
But there is also good news about keeping complex and rapidly expanding supply chains safe as much can be achieved using simple principles and common sense. As Dr Guy Bunker, senior vice president at information security firm Clearswift, concludes: “The key problem is organisations assume that their suppliers will be as good at security as themselves. You need to ask questions and check.”
CASE STUDY: DEBENHAMS
High street retailer Debenhams was breached during an attack in May, which targeted Ecomnova, a third-party e-commerce supplier. The breach of Debenham’s online flower shop resulted in 26,000 customers’ data being compromised.
Debenhams reported the breach to the Information Commissioner’s Office and suspended the other websites that Ecomnova was running for the store. Debenhams said it contacted customers whose data was accessed, and customers of Debenhams.com, a separate website, were not affected.
Ecomnova makes no reference on its website to Cyber Essentials, a UK government-backed accreditation scheme to help businesses guard against cyberattack, and chief technology officer Anthony Newman did not confirm whether it complies. He said: “We have invested in PCI-DSS compliance for a number of years. In addition, we have committed to ISO 27001 certification by Q1 2018.”
Many regard Cyber Essentials as an annual cybersecurity MOT and a safeguard for the bigger supply chain. Emma Wright, partner with technology law firm Kemp Little, comments: “It’s another example of what can happen when clients don’t apply high information security standards to wherever personal data is flowing, including its sub-contractors. Obviously in some cases, regardless of high standards followed, there can be a cybersecurity attack, but due diligence across the supply chain does mitigate risk.”
Legal lessons learnt from the Debenhams breach, adds Ms Wright, are that expectations should be raised about best practice, including the separation of different kinds of data assets. “Growing digital convergence means different types of data are transmitted together or shared on a platform. But gaining access through a side door should not enable access to the entire kingdom,” she says.