When CISOs from lead organisations gathered at Infosecurity Europe earlier this month, the talk was firmly fixed on securing supply chains following the NHS blood test breach. Synnovis, which manages tests for London based NHS trusts and services, became the victim of a cyber attack carried out by the Russian group Qilin on 3 June […]
When CISOs from lead organisations gathered at Infosecurity Europe earlier this month, the talk was firmly fixed on securing supply chains following the NHS blood test breach.
Synnovis, which manages tests for London based NHS trusts and services, became the victim of a cyber attack carried out by the Russian group Qilin on 3 June – the day before InfoSec Europe’s annual conference kicked off.
Compromised suppliers have been the source of many data breaches at organisations over the last couple of years, leading to damaging financial and reputational damage.
So, it’s no surprise that a key discussion across many conference sessions at Infosec this year, involved CISOs and CIOs discussing how best to achieve a secure supply chain.
According to Tom Mullen, senior operational security director at Motorola, gaining buy-in for supply chain security investment from the board is the first port-of-call. He adds that this includes ensuring the messaging is conveyed in terms that the business understands.
“I’m competing against people who want money to drive up revenue,” he says, “so if I’m bidding for additional money, I need to get the board to understand how it will impact the business,” he explains.
“They need to know that we’re going to tighten our controls so that we understand the supply chain risks and that we secure them correctly. They need to know that they are not wasting money and that we’re doing it in the right way,” he adds.
This might involve drawing on recent security incidents such as the one which happened at London’s hospitals, to illustrate the risk and to show what could happen if the right measures aren’t taken or invested in.
Another important step is to categorise suppliers in terms of risk – which, for large organisations and enterprises, is no mean feat.
Take the National Trust for instance, which has around 24,000 suppliers – ranging from individual fencers to large IT suppliers. The British heritage organisation’s CIO Jon Townsend explains how suppliers to the organisation are categorised into tiers, according to business criticality.
He explains: “It doesn’t matter about the business functions they are providing, what you need to understand is the business criticality of what they do. What service are we are trying to acquire? What are the security concerns and how big are they?
“I’m sure that there are many conversations going on around London hospitals today reflecting on this point. We will look at things like whether they handle personal data; What’s the sensitivity of the data they hold? Are they a public-facing service?…Once you start categorising them, they tend to come together. Ranking them into tiers and then thinking about how you can do a more in-depth analysis and risk assessment on those key suppliers to the organisation is key,” he adds.
Show me the money!
For large multinationals such as Motorola, Mullen advises firms look at where the money is being spent internally, within different departments and to look at what they are spending it on. This, he adds, often involves liaising with finance, legal and procurement departments within the business.
“This information needs to be captured in central point,” he adds, “For instance, does someone in finance check that what has been bought goes via security? If a manager can spend below £40K without going through a procurement process, what happens if he goes out and buys two servers and plugs them into the network? It’s small things like that.”
He adds that you also need to look at physical contractors who come into close contact with system such as cleaners. “There’s so much to do, so many layers, so doing a risk assessment at the start is critical and you need to capture everything.
“And you need to make sure that procurement is engaged, legal is engaged so that you make your contracts tight and stipulate where work can and can’t be outsourced.”
Mullen also recommends that firms do their due diligence before choosing suppliers: “Have they had any data breaches in the last couple of years? You have financial due diligence how about security due diligence? You need to look at both.”
CISOs speaking at Infosecurity Europe panel
Most CISOs agree that it’s one thing stipulating something in a contract and another managing it and auditing regularly. In terms of managing external suppliers Mullen says that Motorola sends out a security schedule audit to ensure that “everything they say they do, they do.”
He adds “If a contract changes mid year do your procurement team run it back through again? Or if someone in IT negotiates or renegotiate a contract with BT or Cisco – has that gone through security?
“You really must work closely and have regular meetings with your procurement team, your finance team and ensure they are working together because if someone works differently, then you’ll miss something,” says Mullen.
Mahbubul Islam, a public sector CISO with 20 years experience, and Regina Bluman, a cyber security advisor at legal firm Pinsent Masons, both advise that it’s worth including penalties in contracts for suppliers who do not fulfil their contractual obligations.
“Rarely do you go down that route,” Islam says, “ But if you do, and litigation comes in, then having assurance activities nailed is very important – although it’s best to sort it out before it gets to that point.”
Bluman adds that, from a law firm perspective, she often gets pushback from clients saying they don’t want to include penalties in contracts because they don’t want situations to reach that point.
“But it’s about having it in there so that if it does, then you protect yourself early,” she claims.
Pushback
In terms of pushback, larger firms can always use their buying power to ensure that contractors stick to their obligations.
Says Townsend: “You do get the odd occasion where suppliers are trying to cut costs and they are happy to take a risk from their own business perspective, but that might be impacting you through a supply chain risk.
“If you get the hard facts through an audit that says something doesn’t meet the required standard you’ve got a choice: ultimately you can choose a different supplier. We’ve had to end contracts with organisations because they were not meeting the required standards.
Mullens adds that there are grey areas, and a degree of flexibility is often needed.
“No one can guarantee 100% security, we all know that. You must be reasonable when you look at a contract, if someone does come back with something and they say ‘we can’t guarantee against that risk, but we can mitigate it in this way…’ then you can agree to go forward.
Bluman adds that in the UK, a new Procurement Act – which will come into force this this October, will require all contracts worth over £5m to include three supplier KPIs that will need to be declared publicly. “I’m waiting for someone to publish their security KPIs,” she adds.
Support for SMEs
The danger with making demands on contractors is that only the bigger suppliers can afford to meet a client’s requirements. How can nonprofits and innovative new start ups ensure that they have all the controls needed to fulfil a contract without blowing their entire funding on security?
It’s a challenge that Cheryl Sims-Hancock, cybersecurity lead at the Alzheimer’s Society also addressed at the conference, as she believes that bigger charities and organisations have a duty to support smaller players.
“In the charity sector we try to support smaller operators, different charities and innovators who are trying to bring things to market. One of the challenges in these small, very dynamic orgs is there is no one – there might be two- or three-person company they don’t have human resources.
“The challenge we have to address is what can we and the cyber industry do to help others ensure that third party risk is nailed down, so when we are talking to partners and potential suppliers, we can give them advice and provide them with a route.”
Mullens adds that the government is doing some work with SMEs and charities and helps with free resources – but enterprises should be helping too.
“We want to deal with promising start ups but maybe they haven’t got the security lined up but maybe we can help them. Let’s help them grow secure. We need to do more of that,” he says.
SBOMs
Another important conversation many cyber security heads are having now, is whether to demand a Software Bill of Materials (SBOM) from suppliers.
An SBOM is a complete, formally structured list of components, libraries, and modules that are required to build a piece of software. Like a baking recipe for software licensing, but with data fields and source codes rather than eggs and flour.
Some cyber sec experts claim that SBOMs are a crucial tool for tracking vulnerabilities in a system and detecting things like outdated and open-source software along the supply chain.
“This is something we’re looking at but we’re in the very early stages,” reveals Townsend.
“SBOMs bombs are a fine balance – how far do you go in doing your supplier’s job for them in assessing their security? Maybe it’s better to simply identify a supplier you can trust and believe in so that when you do have a new concern over a vulnerability you can work together and rapidly engage with your supply chain,” he suggests.
According to Mullen, Motorola’s US colleagues are using SBOMs to combat supply chain vulnerabilities, but he agrees that there’s only so far you can go with your suppliers without doing their work for them.
“Also,” he adds, “that’s just looking at software. I’m also looking at hardware, I’m looking at physical contractors, I’m looking at all sorts – so if I’m making it more complex in more areas, then that’s going to involve more resources,” he says.
Bluman adds that Pinsent Masons is having “ more conversation with clients around SBOMs”
She expands: “It’s early days but we’re starting to see more people add that to their supply chain intelligence. But it’s also about the maturity of a provider rather than the actual value of the list of components.”
