Why we need to re-think our approach to cyber risk in the supply chain and how to do it — Robert Hannigan

Governments and regulators are worrying about third party cyber risk. They clearly regard the current approach as inadequate. Large organisations are also worried — but the scale of the task for overstretched teams is daunting. They are struggling to keep up with the threat for three key reasons.

1. Prioritisation. The scale of the supply chain ecosystem for most companies is so large that they have no choice but to prioritise, trying to identify those suppliers that are ‘critical’. But traditional priority categories don’t necessarily work for cyber because they may not be where the risk comes from. The top tier of business critical suppliers will probably include household names, major cloud service or software providers who spend a lot on their security and are very good at it; but it may ignore the long tail of the supply chain where the threat may actually come from. These are likely to be smaller companies with very limited security capabilities and awareness.

When NotPetya famously spread through European manufacturing and other sectors four years ago, it was delivered through a Ukrainian accountancy software package update. How many had even heard of the supplier involved, still less regarded it as critical? But subsequent investigations showed that, while there was great sophistication in the ransomware itself, the initial attack was delivered through vulnerabilities in the company’s servers which had not been patched for several years. This supply chain attack was not quite as ‘unforeseeable’ as it appeared, for anyone looking in the right place. But that is easier said than done.

It is also worth keeping in mind that a supplier’s IT hygiene and cybersecurity readiness may be important even if it has no access to networks or sensitive data. If a key manufacturing component supplier is disabled by a ransomware attack and unable to deliver,

the fact that it is not a technical cyber threat to the customer company’s networks is not much consolation. It may be a relief to the cybersecurity team, but not to the business as a whole.

2. Pace. Cyber risks are by nature dynamic, not simply because attackers are constantly developing and learning, probing for softer ways in, but because company networks and usage are rapidly changing — especially in a pandemic — and new vulnerabilities in major services are constantly being identified. A static view of the risk is therefore by definition going to be inadequate. A quick look at the volume of alerts and vulnerabilities published each week automatically suggests that real-time monitoring is the only logical option. Large, well-resourced companies will implement changes quickly, but what proportion of their supply chain will have the skills and resources to do so? Being able to answer this question quickly is itself critical for the customer and demands an awareness of their entire vendor ecosystem in real-time.

3. Purpose. Third party risk in the supply chain is the responsibility of lots of people in a large organisation, many of whom have the job of assessing that risk for compliance purposes. That is important, but it doesn’t necessarily fix any cyber problems in supply chain companies. Unless the critical problems can be fixed and the most urgent risks mitigated, cyber teams are left with an unenviable choice: live with an unacceptable level of technical threat or recommend the off-boarding of a supplier, which in practice may be near impossible.

Like most things in cybersecurity, our approach to third party risk has evolved and improved over the years. We have gone from spreadsheets to questionnaires and inspections, to security scores or ratings.

All of these are useful and build awareness, but the problems in tackling the three challenges above are obvious. Questionnaires ask a company to mark its own homework and small suppliers in particular will struggle to give meaningful responses. By nature questionnaires tend to focus on policy and intent rather than reality: for example, everyone has a patching policy, but has it actually been implemented? So an unverified questionnaire is of less value, except perhaps for pure compliance. On-site inspections and pen-testing are also useful but in practice they

can only be conducted for a small portion of the supply chain and even then they give a point-in-time snapshot.

Security scoring was a step forward: using external data was an attempt to build visibility by adding external data to questionnaires. But scoring is a series of snapshots and has two further downsides, beyond being insufficiently dynamic. First, it buries busy teams in data: if you have 10,000 vendors, 10,000 security rating reports are indigestible. In principle, more data is good in cyber security, but in practice it is only useful if it is expertly curated and triaged, with escalation of problems by exception. A system of monitoring that cannot eliminate false positives and negatives, and that fails to distinguish between vulnerabilities that really matter and those that are less urgent, simply drowns users in data.

More importantly, a score itself does not actually improve anything. At the extremes, it may help to avoid a complete cyber basket case, but things are rarely that clear cut. And the real objective must be to improve the security of the supply chain, not simply to apportion blame.

This brings us back to governments and regulators. A UK Government review of the workings of the NIS Directive earlier this year highlighted supply chain as an area for urgent further attention, in contrast to all the progress made in other areas. The US Department of Defense has recently introduced the CMMC certification for suppliers, reflecting some high-profile attacks delivered through third party suppliers. Financial regulators in several jurisdictions are discussing how to build third party monitoring into the cyber resilience requirements for their sector.

The answer has to be to build on the good work done to date, and move towards a third party cyber risk service approach, which can monitor the entirety of the supplier ecosystem in real-time, escalating the key problems and then intervening with the supply chain to get them fixed. This requires a high degree of expert curation of very large volumes of metadata, and advanced automation.

The alternative is that the supply chain continues to grow exponentially as a source of attack and compromise. A large scale survey conducted this summer across five countries showed that over 80% of the 1500 companies questioned had experienced attacks through third parties in the past year. The vast majority were struggling to know where to start and only a few percent were attempting real-time awareness.

Threats through the interconnected ecosystem are going to be with us for some years, accelerated by wider trends: the move to cloud, IOT adoption and increased remote working. We need an approach to third party cyber risk which improves overall visibility, does this intelligently and expertly, and then helps vendors to fix the key problems. Improvements in supply chain security will benefit everyone but in practice they will be driven by smart companies looking at their ecosystem in a new way.