The Covid-19 pandemic has had a dramatic impact on businesses and their supply chains.
Organisations have had to take important decisions to keep themselves alive not only in terms of sales revenue and production, but making it possible for employees to work remotely where their role allows. Some companies will have been set up for this from a technology stand-point but for many it will have been a real headache and rush job to work around whatever technology they could get, or had available.
Some organisations will be tempted to leave things as they are and not revisit the technology changes that they have made to harden them and ensure they meet the required security standards. Given that we already know criminals and even nation states attack parts of an organisation’s supply chain to access their industrial secrets and confidential data, this could be a serious cyber security risk.
That may sound like an IT issue – rather than a supplier assurance or procurement one – but the problem is not that cut and dried, and it highlights why good supplier assurance processes are so important.
Traditionally, supplier assurance and procurement teams stay well away from the deeply technical and mysterious world of cyber security. Where supplier due diligence requires a cyber security assessment, it’s happily handed over to specialists – whether internal or external. Any reports, risk acceptance or remediation activities are left with the cyber specialists while supplier assurance focuses on the core of financial risk, insurance cover, standards, supply continuity and so on.
From the cyber security specialist perspective, they typically approach these responsibilities as short-term, single-moment-in-time, instant assessments – often required on top of their day job of protecting the organisation’s IT assets and systems. It’s also common that technical cyber specialists are asked about assessing standards, cyber controls and governance – an area in which they may well have no experience. They’ll carry out these tasks as best they can but won’t always see them as strategically important.
Organisations need a different approach in order to protect themselves from attacks via their suppliers, vendors and other third parties – one that combines the supplier assurance and procurement team’s approach based on good practice, controls, evidence of governance and commitments to improvement, with the deeper technical understanding of the cyber security specialists. Supplier assurance and procurement teams have a far greater role to play in this than they may imagine.
Best of both worlds approach
First of all, it’s important that both the supplier assurance and cyber security teams have an improved understanding about each other’s domains, objectives and responsibilities. A starting point is for them to jointly develop supplier impact criteria that systematically assess how much inherent risk every supplier or third party may have in cyber security terms.
For example, do they have or process any personal data? Or confidential data? Do they access systems or networks? Do they use your APIs (the machine-to-machine gateways between systems)?
Do their staff have access to authentication information of any kind – including passwords and system default passwords – or can they change them? This, for example, can often be true for software-as-a-service providers.
Based on these common-sense criteria, a cyber impact level can be determined, which should then drive the supplier cyber assurance approach.
The different approach for each level of impact should be agreed jointly and completely standardised. For example, for suppliers with a very high cyber impact, the supplier should be expected to demonstrate a high level of internal controls. This should take the shape of obtaining or working to achieve high standards such as ISO27001, IASME Governance or NIST. This means it’s the supplier’s responsibility to show a serious level of control rather than the hard-pressed cyber security team’s responsibility to dive into hundreds of hours of audit work. It also has the benefit of being easy for a non-cyber-specialist to determine if the standard is present or not.
Where a technical assessment or test is needed, such as a penetration test or at least a “pen test” report from a credible third party, then the supplier assurance team can be responsible for managing that this takes place – handing over the responsibility to the cyber teams or external testers where needed. This ‘management of risk’ role cannot be handed over though, as tempting as it is when the talk gets incomprehensibly technical.
The approach at each level should also contain the ongoing levels of compliance required in order to maintain good risk management. Again, the supplier assurance team can timetable these ongoing reviews and focus on the governance of cyber security – something that is no different from, for example, financial audits.
Shared supplier risk information
What really helps is that the different teams involved in supplier risk start to use shared information systems to record and visualise supplier risks. We have seen users creating really impressive supplier scorecards showing a combined view of financial, cyber, GDPR, slavery and other risks all on one simple chart for each supplier. This gives them a shared understanding of the totality of risk from each supplier and helps both the cyber specialists and the supplier assurance team understand how their worlds fit together. In any situation, not just the changing IT landscape outlined at the start of this article, it means supplier risk management becomes an ongoing and well managed process, with the visibility to quickly mitigate risks.
Stuart Jubb is the head of consulting at Crossword Cybersecurity PLC.