Cyber security. We all know it’s important – both personally and professionally. It protects us from crime and, when it comes to business, keeps us in line with legislation and regulation such as the Data Protection Act, GDPR, the NIS Directive, FCA, PRA, … the list goes on. Most importantly it keeps us in business. There are few things that can harm a company quite as quickly as a cyber breach. The reputational damage of an information leak or breach, or even worse a ransomware attack, can be catastrophic.
While you might be confident in your company’s immediate cyber security – that is no longer enough. We all rely on extended supply chains in order to deliver our services and products, but if these suppliers are attacked and it impacts your business, all the media and public sees is your business in the firing line. In short, your reputation is only as secure as the weakest link in your cyber security supply chain.
This hasn’t always been the case, If we go back to the early 2000’s, a compromised system only negatively affected some. However, the scale can be huge these days. An entire section of global commerce can be shut down or compromised by a targeted attack.
What are your essential services?
When I covered the Computer Misuse Act in my previous article, I brushed over the Serious Crime Act 2015 which introduced a new offence in section 3ZA of the 1990 Act to address the most serious cyber-attacks. This was an acknowledgement that attacks on essential systems controlling power supply, communications, food or fuel distribution could have a significant impact. This could be loss of life, serious illness or injury, severe social disruption or serious damage to the economy.
There has long been a focus on protecting Critical National Infrastructure in the UK and many companies in the Transport, Energy, Communications and Finance sectors have gone some way to shoring up their defences. However, it was appreciated that just protecting this narrow band of companies would not be enough to defend the wider economy and that the group needed to be expanded by at least 10-fold. This happened with the introduction of the NIS Directive in the UK in May 2019 and the designation of approximately 500 “Operators of Essential Services”.
But I don’t think this went far enough. What about the essential services of food distribution and all the supermarkets and corner shops that we now realise (if we didn’t already) we rely on so heavily?
And then of course, there are all those companies to whom we have outsourced the running of our IT infrastructure and monitoring of our Cyber Security. Not to forget all the other Managed Service Providers to whom we have outsourced HR, Payroll, Building Management and a myriad of other functions. I would argue that all of these companies should fall under the remit of the NIS Directive because they provide an essential service and are fundamental to the operation of those 500 or so “Operators of Essential Services”.
Clouded judgement
Many of these outsourced services are run from the cloud and for many that is a red flag on its own. However, using a public cloud service and Software as a Service (SaaS) can give you advantages over trying to do everything in house. Because there is a common service being provided to many customers, and if the cloud provider has made the right security investments, these advantages can include:
- All customers having the same good underlying configuration based upon the knowledge and experience of the service provider’s security experts, who should have specialised knowledge in that particular technology (rather than each customer spending resource to work it out for themselves).
- Security patches being applied quickly and reliably by the service provider. They can test the software once and then roll it out for all of their customers at the same time. Legacy services run in house can take weeks, months or even years to patch (if they are patched at all).
- Protective monitoring covering an entire cloud service will be fine-tuned for that service and is better placed to spot anomalies across all of that supplier’s customers.
- Customers’ in house security teams being able to concentrate on a greatly reduced number of focused alerts provided by the cloud provider rather than having to investigate everything themselves. It is more cost effective to spend your local security effort on problems unique to your organisation.
How to outsource safely
Although there are many advantages in using these outsourced services, you do need to make sure that you have the right contract in place and, particularly for Managed Service Providers (MSPs), the right terms and conditions. When I worked at the National Cyber Security Centre (NCSC) one of the largest breaches we had to deal with was a targeted attack on MSPs. You can read more about it on the NCSC website.
You might expect your MSP to have high standards of security, but do not take this for granted. You should make sure that you carry out independent monitoring and audit of your MSP. This is critical for security monitoring and management, but also for contractual enforcement and investigation of incidents. Without it, you will not be able to manage your risk effectively.
Another key term for your contract is a notification clause. Without it, MSPs and other suppliers may argue that they don’t have to notify you when they have been breached, even when it may impact your data. Slightly more technical, but just as important, your MSP’s corporate network should be separated from the infrastructure used to provide services to your company. This lack of separation was a key factor in the APT10 threat actor gaining access to so many client organisations around the world.
The weakest link
All of the above applies to larger organisations we outsource to, but what about the rest of the cyber supply chain? Once you have looked at your own vulnerabilities and locked down the easiest ways into your systems, how should you go about ensuring your extended supply chain is secure enough?
Firstly, you need to identify all your suppliers, not just those you identified for your GDPR audit. This is a basic step, but not necessarily an easy thing to do. It is likely that records will be held in multiple places such as IT, legal, Procurement, Compliance, Operations etc.. Suppliers handling or processing data under GDPR are part of the picture, but there are likely to be many other companies you rely on that don not fall under GDPR.
The second step is to risk rate your suppliers. This involves putting suppliers into groups based upon the cyber security risk they present to your business. I would recommend having just three groups to start with: high, medium and low. The most important group will be the high risk and the size of this group will probably have to be determined by the amount of resource you have to deal with them effectively. So, this group may be a handful in size up to perhaps the 10’s but unlikely to be the 100’s. These high-risk companies are likely to be the ones who have direct access into your network for whatever reason. Perhaps to control the building management system (HVAC – heating, ventilation, and air conditioning), or update the rules on a firewall or access your HR system to create the payroll.
The third stage is to make sure that there are suitable cyber security clauses in contracts. As stated above, you should be notified of breaches and have a right to audit (although separate arrangements will need to be made for the largest suppliers). You should also have access to data stored, inputted or otherwise collected.
In stage four you will need to consider the use of questionnaires. These are already used extensively by purchasing teams to cover off areas such as Anti money Laundering and Modern Slavery, but there are plenty of examples of Cyber Security Supplier Assurance Questionnaires. Probably too many! And some with too many questions. If you are going over 160 questions, you have too many. Think carefully about what you want to achieve. Is it just a compliance tick box effort or do you really want your supplier to improve their (and therefore your) cyber-security? It should be the latter, so think about questions that indicate practical steps that have been taken. Whether they have ISO27001 will tell you that they have good documentation but not whether they have good cyber security.
As a basic requirement and indicator of good cyber security, you could require Cyber Essentials.
Security vulnerability scanning and rating services can be used to supplement traditional cyber-security assessments. The scanning is continuous, so you can be alerted to when a new critical vulnerability has been identified in any of your monitored suppliers.
Of course, there is still a place for onsite visits, audits and penetration tests. These are the deepest dive assessments but are only a snapshot in time. Use these for yourselves and for your highest risk, most critical supplier or suppliers. The number you can review will depend upon your budget and personnel resources and will typically be a handful but do give the best assurance.
In short, if you want to ensure your own cyber security, you need to explore and test the entire cyber ecosystem you work in. It may not be simple – but you can’t put a price on reputation.
Peter Yapp, Cyber Partner at Schillings Peter started his career in investigation and has been involved in computer forensics for nearly three decades. He was a deputy director at the UK’s National Cyber Security Centre and now provides pre and post cyber security incident advice to a range of individuals, companies, boards and operators of essential services.