Credit: https://wallpapercave.com/w/klH3B3q
Written by Will Lambert
Suppliers- we all have them, we all need them. Some are essential to our day-to-day business activities, whether they provide website hosting, supply power, provide heating or air con systems and maintenance, payroll software, CCTV, education services, physical or information security, the list goes on. With this almost never-ending list of suppliers, each poses an individual risk to our organisations. You should already have a good understanding of how suppliers interact with your workplace, how important they are, and which ones are most important. This can be described as a rank of criticality. If a supplier is high on this rank of criticality, we also need to understand what risks they present to our organisations.
Let’s revisit defining risk. A risk is defined by
ascertaining a threat (anything that can harm an asset) multiplied by
vulnerability (a lack of safeguard). The initial identification of risk is no
easy task but what is usually misunderstood is assigning a severity to a risk.
So, for example, if we have a supplier who handles all our customer data
(asset), the risk is that they become breached (through lack of safeguard), so what
is the severity of the risk being realised upon our business?
Severity can be defined by using a quantitative guide called
a likelihood / impact matrix; for this blog, this is what we will be using. For
each organisation, impact and likelihood metrics will be different but let’s
use the following as a brief example.
Likelihood can be defined using the following matrix;
The following can be used to help define impact for an
organisation.
Using the above matrices, each individual asset that a
supplier is providing must be assessed to gauge the severity of risk each
supplier presents. Likelihood values can be ascertained by using a qualitative
assessment, which is a subjective or personal view in gauging how likely a
supplier is to fall victim to a cyber-attack – essentially, it’s a gut feeling.
However, we can also use Supplier Evaluation Risk Management (SERM) which
provides a much more accurate picture of how resilient your supplier is to a cyber-attack
and any incident response preparation actions they may have taken in order to
return to a BAU state.
Before we look at likelihood, let’s have a quick review of
impact. Impact is a bit trickier; it’s all about considering the effect it
would have on your organisation. Impacts would include consideration of any
regulatory fines imposed by governing bodies, such as the ICO (EU GDPR and
DPA18), PCI DSS, and if you are an Operator of Essential Services (OES)
whomever your Competent Authority (CA) is. Impact would also consider items
like reputational damage and remediation activities such as credit monitoring
for all your customers like Equifax did after their 2018 breach.
Asset Value (AV), Single Loss Expectancy (SLE) and Annual
Loss Expectancy (ALE) metrics can (and in the case of mature organisations
should) be used to help guide the assessment of impact but this process can be
a convoluted one, especially when you consider the fines and remediation
activities, and is therefore a different blog post entirely!
Circling back to identifying likelihood values, essentially,
we are asking ourselves, how likely is it that this supplier will become
compromised. The SERM approach allows us to ask how seriously our suppliers
take information security and gauge their responses. This is more than just a
simple gut feeling, this is using industry best practices, applicable standards
and almost anything else you feel is relevant to your business, incorporated
into a questionnaire format and sent to your suppliers.
Depending on the rank of criticality we described earlier,
matched with your organisation’s statement of information risk appetite, and
even consideration of possible impact levels, suppliers can be sent a real
in-depth Supplier Validation Questionnaire (SVQ). Supplier responses will be
reviewed by your information security team upon return, and then followed up
with prompts for evidence of policies, processes or even (where required) a
visit to your suppliers’ premises to ratify responses. As you move down the
rank of criticality, a lighter touch of questionnaire should be used. For
instance, you wouldn’t want a stationery supplier being sent a 200 question SVQ
unless you had a sufficient business requirement to do so.
As an example, Stan’s Stationery supplies your business with
pens, paper, etc. Let’s give this particular supplier an impact rating of 1. As
this supplier can inflict only a small amount of damage, we send Stan’s
Stationery a light SVQ. The response from this supplier states that they have
no information security measures in place, they have no policies or protection
measures or even the slightest interest in information security. Therefore, the
likelihood of their breach is almost certain - 5. We feed the impact and
likelihood into the risk matrix and we get an overall risk rating of 5. See the
Risk Matrix below.
This is a low impact, high probability of breach, but
because we have validated the supplier, we know this for sure.
It is important to realise that incorporation of other
business processes may be required- a Data Protection Impact Assessment (DPIA)
springs to mind. If your SVQ response from Stan’s Stationery showed that they
provide a lot more for your organisation than you first realised, in fact, it
hosts your website, or processes payments as brief examples. In this case, they
process high amounts of personal data and so if breached, would mean you may
face the ICO and subsequently receive the fines – dependant on your contracts
in place and situation surrounding the breach. You will need to carry out a
DPIA on this supplier if not already done. As a result of this new information,
the impact level has also changed from 1 to 4 (depending on your organisation’s
information risk appetite) in this example, and a subsequent risk score of 20
(See Fig 4 – Updated Risk Matrix) – a big change up from the original score of
5. A greater understanding of their information security practices will be
required, and a deeper SVQ will need to be sent and validated.
Of course, Stan’s Stationery can be replaced by any supplier-
this is a high-level overview of how SERM can be used. Depending on your
quantity of suppliers this may need the automating of this process, or at least
employing a managed service to manage your supply chain risk. Following on from
a suppliers’ response, your organisation will need to identify what actions you
will take to either help them improve their information security practices and
defences, or simply cease the relationship with them. This is a cost / benefit
analysis and business decision of which SERM will help you best understand the
real cost behind each supplier.
For further information regarding supplier risk management,
more blog posts can be found here: