The UK Minister of State for Media, Data and Digital Infrastructure, Julia Lopez, recently issued a call for views from industry leaders to outline the risk posed by insecure software and supply chains. She encouraged organizations to participate in a national consultation by sharing their experiences of such threats and the best practices for risk mitigation. This dialogue is imperative because it’s a complex, multi-stakeholder issue that current approaches cannot easily solve.
Understanding Connectedness and Interdependencies
The key problem with supply chain security is that no corporation today is an ‘island’ entirely of itself. Businesses are extremely dependent on the UK’s 13 National Critical Infrastructure (NCI) sectors. Each of those NCI sectors depend on each other, their suppliers, and their suppliers’ suppliers. A business is dependent on a payment provider, which is dependent on a telecommunications provider, which in turn is dependent on the electrical grid, and this process goes on indefinitely.
According to the UK Government’s Cybersecurity Breaches Survey 2022, around 58%, 55%, and 60% of small, medium and large organizations, respectively, outsourced their cybersecurity to an external supplier for one service. It is worth mentioning that outsourced cybersecurity firms require remote and privileged access to their customers’ internal systems.
This interconnected system of dependencies and risks can rapidly scale beyond what a single organization can even assess, much less manage on its own. A cybersecurity incident can impact you in ways you can neither anticipate nor manage.
Supply Chain Attacks
Unfortunately, supply chain threats are on the rise. According to the National Cyber Security Centre (NCSC), the cyber-espionage group Dragonfly have been targeting companies since 2011. In their latest campaign, Dragonfly compromised the websites of legitimate industrial control system (ICS) software suppliers and replaced files in their repositories with their own malware-infected versions.
A recent study by Gartner found that 84% of organizations experienced disruptions in business operations due to third-party risk ‘misses.’ Indeed, Gartner predicts that by 2025, 45% of enterprises across the globe will have suffered a software supply chain attack – a threefold rise from 2021.
A recent study by Juniper Research estimates that software supply chain cyber-attacks on businesses will cost the global economy £54.04bn annually by 2026. This is partly because security managers are a victim of their own success. Because securing our systems has become a priority, it is often easier to attack our suppliers than our organization directly.
Existing Paradigms Are DNS: Does Not Scale
Today’s security managers have resources from industry and government. There are frameworks, guidelines, procedures and audit regimes to identify and manage the risk from a single service provider. However, the staff hours to do this thoroughly on a per-provider basis can overwhelm security teams’ capabilities. Its best practice to prioritize vendors based on mission criticality and data access and then assess the top percentile. For the remaining vendors, there are standard contract terms and conditions, a controls questionnaire and an independent third-party assessment they can take annually. Some companies have governance, regulation and compliance systems that efficiently aggregate all the data and manage the process. On the supplier side, the scale is just as onerous.
There are ways to reduce the level of effort (LoE), such as using vendor security management systems to drive the process. Gartner sees vendor consolidation as a way to reduce complexity, decrease costs, advance efficiency and improve overall security. The solution will be additional control frameworks and audits because that’s how the government and industry have historically responded to security management issues.
The Road Ahead: Transparency and Situational Awareness
Moving forward, there are four use cases that should be focused on. Firstly, a way to reduce the LoE of onboarding vendors to ensure buying and implementing solutions can be done more quickly. Secondly, knowing when upstream suppliers experience a cybersecurity incident is vital as it will make it easier to determine the impact on the level of service, data or internal security controls that will dictate another organization’s response process. Thirdly, knowing when any upstream supplier has a critical vulnerability is crucial for performing risk management. Lastly, possessing a two-way flow of vulnerability, risk and threat information to understand the risks to customers is necessary as it allows for building features and products that help protect them.
Regarding the UK government’s call for views, supply chain security isn’t necessarily about protecting an individual company; it’s about protecting the entire ecosystem and the dependencies therein. This is why open dialogue is a first step in everybody laying out their use cases and what they are trying to accomplish to apply the right solution at the right level in the chain.