Risk managers are understandably anxious about breaches of their suppliers’ cyber defences. Is the threat as bad as it’s painted, and how can the risks be minimised?
Looking solely at their own cyber defences is no longer a tenable position for firms. Increasingly, they must look at their suppliers’ as well.
The StrategicRISK Supply Chain Disruption survey found that a ‘targeted cyber attack (internal or external)’ was risk managers’ top concern out of 10 possible disruptive events. A cyber attack on a critical supplier was considered most likely to bring a company to its knees.
Human operating error was next, with government/regulatory intervention in third place.
“This vote reflects [risk managers’] uneasiness at being able to grasp the likelihood and consequences of such a cyber attack: since I don’t understand it, I fear it, and since I fear it, I give it high marks,” says Huawei Enterprise’s chief security and privacy officer, Pierre Noel.
“Cyber security is among the least understood type of risks at the moment. Risk managers hear about those cyber incidents happening here and there, and they feel like the sky is about to fall. In reality, cyber attacks follow some rather specific patterns, based on the origins of the attacks, as well as the motivations behind those attacks.”
This doesn’t give much comfort to Shangri-La vice-president, finance, Parikshit Sen Gupta. He says he’s very concerned about the implications of a cyber breach at one of the hotel and resort group’s critical suppliers.
“For some of our suppliers who store our customer data, this risk is imminent,” he says, stressing that it would be Shangri-La’s brand at risk – and not that of the third party at fault – if a data breach occurred.
A PERFECT STORM
Jagath Guru, Myanmar Brewery head of risk management, internal controls and processes, agrees. He says: “Third-party vendors do play a vital and growing role in supporting organisations’ systems, applications, and devices.” But he thinks many organisations are not fully aware of their reliance on such suppliers.
“Organisations often have limited visibility or control on what the engaged third-party vendors’ activities are connected to [within the] organisation’s own network. The combination of dependence, trust and lack of control [is] the ideal situation for creating a ‘perfect storm’ for security breaches across the organisation, regardless of organisation size,” he says.
A device or a program that is deemed safe today could become vulnerable tomorrow and be attacked on a worldwide basis the day after.”
Huawei Enterprise’s chief security and privacy officer, Pierre Noel
If an organisation’s network gets into the wrong hands, adds Guru, there is a high risk of data being compromised or stolen, or of critical systems being shut down.
Indeed, the results of the StrategicRISK survey are largely in line with the Business Continuity Institute’s recent Supply Chain Resilience Report 2016. Cyber attack or data breach came third on its list of causes of disruption. Unplanned telecommunications or IT outages, which could also be
caused by a cyber hack, came first. So, what should risk managers and supply chain managers consider when assessing the strength of a potential supplier’s cyber security?
Huawei’s Noel says it comes down to accountability: “Does the supplier have a person who is explicitly and publicly in charge of the cyber security of the organisation? Is it well understood that this person will be fired or demoted if there is a significant cyber security incident with the organisation? If the answers are yes, you have proper cyber security management.”
He adds: “We need someone who continuously has her/his finger on the pulse and can assess the evolution of risks, and what proper mitigations might be.
“Cyber risk is one of the most dynamic I have ever encountered; a device or a program that is deemed safe today could become vulnerable tomorrow and be attacked on a worldwide basis the day after.
“The only way to address this dynamic is to be accountable and keep a finger on the pulse.”