Martin Tyley, head of UK cyber at KPMG, discusses how CISOs should go about fixing vulnerabilities within supply chain security
Enterprises are under constant pressure to transform digitally. Inevitably, this transformation will be underpinned by a data-centric approach in which information is shared, almost continuously, throughout a multifaceted and connected ecosystem of partners and suppliers. Supply chains often end up including fourth, fifth, even sixth parties, through which data constantly flows. This makes the supply chain a particularly attractive target for cyber attackers: if they can find a way to infiltrate the security of just one partner in the ecosystem, they can also gain easy access to several organisations’ information.
Given the numerous high-profile supply chain cyber attacks seen in 2021, it’s clear threat actors are already taking advantage. Therefore, it will come as no surprise that in KPMG’s 2021 UK CEO Outlook Survey, 81% of leaders said that protecting their partner ecosystem and supply chain is just as important as building their own organisation’s cyber defences.
Moreover, as enterprises continue to prioritise digital transformation, the sharing of data will only become more ingrained and complex. Although regulatory standards and jointly agreed-upon security frameworks can help reduce the impact of third-party cyber threats, there are situations where these complex ecosystem structures may not have clear ground rules for establishing adequate controls to protect data, leaving the whole network vulnerable to cyber attacks.
Furthermore, existing vetting processes for suppliers are inconsistently applied, sometimes absent, but frequently manual and cumbersome. Often our current approaches are no longer fit for purpose. In the absence of any consistent mechanisms for demonstrating ‘cyber strength’, assumptions are often made that “if company A is already using supplier B, they must be okay”. In today’s ever-evolving digital environment, assuming a static risk position is unrealistic at best.
As a result, many businesses, third-party vendors, and even regulators are under increasing pressure to provide continuous assurance over the security of their ecosystems. This is only going to become more challenging as the complexity of the supplier ecosystem increases, and fourth parties, shadow IT, and a lack of SaaS provider oversight demand more and more attention.
So, how can CISOs transition away from the compliance-based strategy to a more proactive approach that puts continuous monitoring, usage of AI and machine learning-based solutions, threat intelligence, and zero trust at the heart of their ecosystem security model?
How to empower your chief information security officer (CISO)
Establish a strong risk management framework
Regulations around cyber security are only going to tighten. In Europe, the NIS Directive has drawn clear lines around how member states, industries and organisations should enhance their inward and outward cyber security policies. In response, enterprises must implement a strong risk management framework that looks both inward and outward. This is key especially for high-risk industries, such as energy, healthcare and financial services. It requires experienced professionals in risk management to have support and input from every level of the business (including the boardroom) to ensure it is fit for purpose.
Take a future-proof approach
All ecosystem partners should follow a clear path in protecting their own organisation, as well as the broad ecosystems within which they operate. They must understand that in most sectors there will be a commonality of suppliers and for many industries it is in the collective interest for those suppliers to be resilient – because if they fail, the whole industry fails.
Apply AI and machine learning to security policies
Automation, including the use of AI and machine learning across the ecosystem should be a priority. When applied to security policies, it is possible to address shadow IT issues and offer improved oversight of third-party SaaS products, as well as to implement self-service chatbots and automate numerous parts of the organisation’s third-party risk management processes. There is too much data today to rely on manual processes, therefore strong data management skills are also required to interrogate the information captured and turn it in to actionable intelligence.
The future of data science and risk management
Take advantage of continuous controls monitoring (CCM)
CCM moves security assessments away from point-in-time activities that become rapidly outdated to regular checkpoints over time – this could be daily, weekly or monthly dependent upon what is being monitored, but critically it can show changes when they occur and compares data and trends over time. In the context of the supply chain, CCM must be used by every vendor deemed ‘critical’ to work effectively. Switching to this model, organisations are encouraged to move from a compliance-based approach to a more operational focus that requires less human input and corrective measures can be made in real-time.
Adopt a more active approach to building ecosystem security
Bigger, more resourceful organisations should try to take a capacity-building approach to supply chain security by applying security measures to protect their broader ecosystem, in addition to their own environment. Companies now understand that they cannot guarantee the protection of the organisations they work with, especially if they engage with SMEs who may not have the budget for all the bells and whistles of a truly robust approach to cyber security. We could even see partners collaborating on threat monitoring and defence strategies further down the line.
We’ve seen over the last twelve months that supply chain security is frequently not giving the answers senior stakeholders in organisations need, and it’s time for CISOs to look beyond the four walls of their organisation to fix it. But this is just the tip of the iceberg. Threat actors are cottoning-on to the fact that by targeting companies that develop and build vital software and are critical logistical links in much broader networks, they can cause enormous disruption with limited effort. Without greater protection of all supply chain boundaries, we will all need to order our Christmas presents in July to be sure they arrive on time.