It is a reality of doing business in the digital economy that suppliers and third parties are an integral part of an organisation’s infrastructure. A fact that only increases the need for vigilance throughout the supply chain, says Ruth Anderson, KPMG in the UK's Director Cyber Security Team.
In today’s digital economy, the pressure for interconnectivity to allow for collaboration, trade and the smooth transition of goods and services is huge.
The very nature of today’s global supply chains demands that organisations share, to some degree, access to data, networks and systems with suppliers. That means, by necessity, suppliers and business at any point in a long and complex supply chain could have access to sensitive information from within your own organisation.
This is where greater cyber security is required. Criminals will always look for the weakest link in any supply chain, and if they find one, they will exploit it and potentially wreak havoc. Organisations need to know, now more than ever, exactly which suppliers have access to what.
A tough but necessary task
However, many companies aren’t fully aware of the scope and seriousness of the issue.
In 2015, the giant retailer Target was hacked via network credentials stolen from a third party supplier of air conditioning systems. Criminals had used login credentials from the air conditioning company, who had access to Target’s network, to install malware onto its payment system. This malware then stole the credit card details used at its 1700 US Stores, sending them via technology staging posts in the US onto computers held in Russia. It was a breach that saw the debit and credit card records of some 40 million customers stolen.
Developing cyber resilient supply chains is one of the toughest and most important jobs in the current business landscape mainly due to its requirement to technically monitor the data exchanges throughout the ever changing and complex chain of multiple suppliers and multiple tiers of suppliers. It can seem like a never-ending and unenviable task. But it has to be done, or the security of an organisation and the personal information of the public can be potentially compromised.
Allowing third parties to integrate can come with serious risks and is not a decision that can be taken lightly. It requires forensic attention to detail right down the line to make sure your suppliers have systems and networks that do not pose a threat before they are allowed to connect.
Setting the standard
Organisations can have minimum standards for third parties and clients to demonstrate before being allowed to connect. They can demand accreditation, recognised “assurance” and certification from suppliers. This philosophy has been adopted by the UK Ministry of Defence (MoD) and may act as a template for organisations in the commercial sector who are looking to secure their supply chain.
The MoD, which works with a plethora of private third party contracts, has stated that from 1st January 2016 any new contracts which require the transfer of identifiable information from customer to supplier, or the generation of information in support of a contract, will require the supplier to have Cyber Essentials accreditation. Cyber Essentials is the Government-backed and industry-supported scheme to guide businesses in protecting themselves against cyber threats.
The MoD doesn’t stop there as it calls for this certificate to be renewed annually and that this requirement is flowed down the entire supply chain.
By implementing such contractual obligations, the MoD can ensure key controls for cyber security are in place which will provide a level of assurance that companies within the supply chain regard cyber security as a key business requirement.
In such commercial situations, cyber certification can act as a positive differentiator.
Moving with the times
However, certification on its own is not enough. The ever-changing technology landscape forces businesses to recognise that cyber security within a supply chain is a continuous task. What may be considered secure one day may be insecure the next. Without the right level of vigilance, vulnerabilities and the opportunities to exploit them will spread through the dark web and into the hands of cyber criminals rapidly.
Therefore, most organisations will want a high degree of ongoing assurance around the security controls that their supply chain partners have in place.
The key questions are:
Addressing the cloud
The development of cloud based services has also thrown up some interesting alternatives for cyber security. But organisations still have to think seriously about the nature of the data or the service they are uploading.
It could be that security controls are designed upfront by the provider. But it all amounts to the same thing – assess the risks and put controls in place.
Balancing risk and value creation
In all of this, it could be argued that the real challenge is building a cyber-resilient supply chain without hurting business development or hampering value creation. This can be done as many of the security assessments and controls have been designed to not impede business, but to allow it to continue with confidence.
This process can seem never-ending given the length of some supply chains, but there are very few serious alternatives to rigorous assessment of the risks.
It’s also not enough just to look at immediate third parties, but to consider the entire supply chain as many suppliers often outsource services to fourth parties and beyond.
Any party that is connected down the line needs to be assessed. If they cannot meet the levels of information assurance, cyber security, data protection or legal governance that is required then they may require replacement.
Remember. Your supply chain is only as strong as your weakest link.
Download the PDF to view our infographic.
KPMG has launched a state of the art digital platform that enhances your experience and provides improved access to our content and our people, whatever device you are on.