Thinking about the topic of supply chain security for the average company, the first thing I’d say is that the word “chain” is something of a misnomer
A chain has a top and a bottom, with individual links connecting them. But, any company has multiple suppliers (hundreds, or even thousands of different companies) and, in turn, multiple customers.
What does that give you? Not a chain, surely – maybe we should call it a web. We are all the centre of our own supply web and every other company we deal with is the centre of its own web, in turn.
One obvious consequence of this complexity is that tracing all of your suppliers, and their suppliers, all the way back to the 'source' is just not a meaningful concept. There is no 'source' or 'start' to this web. Everything is connected.
To make matters worse, your supply web is likely to be looped back on itself in places. How? Let’s think of some examples:
- An accountancy company has a cleaning company which uses its accounting software
- A SaaS (software as a service) company draws power from the electricity grid, which uses a finance package provided by the SaaS company
- A healthcare company uses a phone provider for its telephony, in turn the phone provider uses the healthcare company to provide healthcare for its staff
These are examples of single-step loops; in reality, there might be more companies involved in each loop, which would make them harder to identify.
This means, in practice, that your customers may also be your suppliers; if they are compromised, you may also be compromised. It’s not a one-way relationship any more.
You may be thinking at this point that if it’s that complex, maybe the best approach is to forget about everything and go and live in a hut in the woods. Putting that option to one side for the time being, though (remember you’d still need healthcare...), what’s the most pragmatic way to manage information security in this multiply connected world?
One option is the “You picked them, you are accountable for them” approach. Concentrate on your immediate suppliers, with whom you have a contractual relationship. Make them responsible for their own in-house security and their suppliers’ security (since they chose their suppliers), and so on. This works reliably where your suppliers are willing and able to manage their immediate supply partners in the same way, and so on. Where it tends to fall down is where the supplier in question cannot manage their own security, but believes that they can; or where they have picked a supplier who will literally say anything to get the business, but has terrible security.
To address this issue, you can instead ask that your supplier be independently assessed and meet a specified standard. But, what standard? Individual assessors can provide lovely, ever-changing lists of what they call 'best practice' which is a great way to give everyone a huge headache. Every time the assessor changes their criteria you have to re-assess your suppliers; and your suppliers, because they have ever-changing goalposts. Imagine having a different set of questions every year; how can you track progress or improvement as a customer? And, as a supplier, how you do you address sudden requirements changes which may cost serious money?
Not to mention the horrible and thankless task of filling out a different questionnaire in a different format for each customer, and not even being able to bring forward last year’s answers... at some point, might you not want to just answer "Yes, it’s all in place," so you can get out of the office before midnight?
I’d recommend an independent standard be used in conjunction with assessment to prevent this terrible scope creep and administrative nightmare. There are several ones out there: NIST, PCI DSS (for card data, but you can re-purpose it), Cyber Essentials Plus, and my particular favourite, ISO 27001 (largely because it’s about information security resilience and making security fit for purpose).
Another factor is the sanctions you levy on your suppliers (again, assuming you are dealing with direct suppliers where you have a contract with them). You can go from "We may not buy from you again" all the way up to "Unlimited liability". You can also specify how and when they will tell you about incidents; by default, they are not required to tell you anything if they’re breached, unless personal data was involved (in the UK).
If you are planning on engaging with your suppliers, do beware of what you ask them to do to protect you. For example: Company A has lots of sensitive data, so applies very stringent security measures. They cascade this to their suppliers without assessing what each supplier is doing for them; thus the company which waters the plants in the car park suddenly finds it has to install two factor authentication on all its laptops. I’m not saying that two factor is a bad thing, but was this proportionate?
Here’s a "batch" approach; note that you really need a classification scheme to make this work.
- Make a list of your key information assets
- Identify direct suppliers who are exposed to, or could compromise, these assets (not just suppliers who are expected to handle them)
- Group the suppliers by classification of asset and by how much damage they could do to it (i.e. asset exposure)
- Apply a consistent set of requirements to each group of suppliers, tailored to the level of risk associated with that group
- Review contracts at next renewal and negotiate in any terms you can
You can also match the amount of effort you put into assessing and managing a suppliers’ compliance to the group they’re in. Treat it as a partnership, not a fight, and things are likely to go far more smoothly.
Lovely – but what about the big players, who have a "Here are our security measures, take it or leave it” approach? Well, I’d suggest you look at what they commit to provide regarding security in exactly the same way as you look at the other things you’d be getting from them.
If it doesn’t suit you, then don’t buy it.
In summary, supply chain security is a big and messy problem. The best approach is to use the means at your disposal to address risks with suppliers with whom you have direct relationships, and to pick your suppliers wisely in the first place.
Bridget Kenyon is the Global CISO @ Thales eSecurity. She will be sharing her knowledge further at Women in Tech Scotland in a session entitled 'Are They on Board? Creating the Right Relationship with Your Top-level Stakeholders' at 10:30 on 3rd September.
Secure your spot among fellow tech innovators and join us at Women in Tech Scotland.
Click below to enter our #WinTechSeries competition