The recent cyber attacks on three of the largest Police forces in the UK, which resulted in serious data breaches, highlight two key cyber-threats to organisations: insider and supply chain.
In the case of the PSNI incident, which became known in August, personal data of police officers and staff, including names and duty locations, was mistakenly included in response to a Freedom of Information (FOI) request. This information then went on to be made public and came into the possession of dissident republican terrorists. While the outcome of this was serious and put police officers and staff at risk, this is a typical example of an insider threat incident and is very common. Whether it was unintentional or otherwise is still yet to be publicised.
There are several ways to reduce the risk from insider threat. These can include thorough access management processes and the use of native or third-party data loss prevention tools. However, the foundation of mitigating insider threat is to develop a good user training and awareness programme. This will help employees know the risks and, more importantly, know how to recognise suspicious activity.
The most recent incident, in what appears to be a typical example of a supply-chain attack, threat actors attacked a supplier of ID cards to GMP and Met Police with ransomware. The attackers were subsequently able to gain access to the personal information of thousands of officers and staff, and potentially that of other customers, including the NHS.
The attacker and the attack vector – the method used or the exploited vulnerability – is still unknown; at least publicly. This incident demonstrates how crucial third-party and supplier security is, especially where sensitive information is concerned.
Supply chains are becoming increasingly targeted. While outsourcing imposes obligations on suppliers, it does not remove customer responsibility. Supplier/Third-Party Security Management is a holistic process comprising all the steps described below and should involve several internal business functions. These include but are not limited to, security, data protection, legal, and procurement.
What can you do to secure supply chains?
There are several methods and approaches to supplier or supply chain security management. Each has similar aspects to consider when it comes to ensuring suppliers are as secure as they can be with your data:
- Use a framework. Commonly used and widely recognised standards, such as ISO 27001 and NIST (National Institute of Standards and Technology), and HMG schemes, including the Cyber Assurance Framework, have specific controls around supplier security management and can be used as good practice guidance.
- Ensure a robust procurement process is in place. Businesses should carry out a thorough due diligence process on prospective suppliers and should cover all areas of ESG, including security. They should analyse responses to security questionnaires, then investigate and risk assess any ‘red flags’. Be prepared to disregard suppliers who cannot or will not meet security requirements. It is possible to assess existing suppliers retrospectively. However, it may be more difficult to rectify any issues, subject to existing terms and conditions. All too often, this is a ‘tick box’ exercise as suppliers may already have been pre-determined.
- Scrutinise contracts and service agreements. Contracts will normally contain a ‘security schedule’ which details the suppliers technical and organisational security measures. Global suppliers will generally have fixed terms that are non-negotiable, but Managed Service Providers and smaller suppliers can be more accommodating. Engage legal teams to help with this. Contracts must also contain a Data Processing Addendum (DPA) which are written terms and conditions around additional requirements for the protection of personal data in-line with current data protection regulations and legislation such as the UKGDPR and DPA18. Contracts may also contain a ‘right to audit’ to some extent and where properly utilised, this can provide enhanced assurance.
- Manage supplier relationships. Ideally, a relevant person, such as an account or contract manager, should manage supplier relationships. In large organisations, there may be an entire team dedicated to this; in smaller businesses it may be a small working group or even a single person. Some organisations may even outsource this in some cases.
- Secure sensitive information. When businesses provide suppliers with, or allow access to, sensitive or confidential information such as personal data or IP (Intellectual Property), they should consider any enhanced protection that may be required, such as limited access, segregation, and incident response.
To summarise, the above are some of steps that businesses can take. Supply chain risk has been somewhat underestimated historically – especially where cost is an issue – but in a world where outsourcing is commonplace, it is vital to not only have the right controls in-place, but that they are managed effectively. Supplier security management is a continuous cycle, not a one-off process.