Monday 4 March 2019

Supply and Demand, Risk and Severity – Defining the Damage


Written by Will Lambert

Suppliers- we all have them, we all need them. Some are essential to our day-to-day business activities, whether they provide website hosting, supply power, provide heating or air con systems and maintenance, payroll software, CCTV, education services, physical or information security, the list goes on. With this almost never-ending list of suppliers, each poses an individual risk to our organisations. You should already have a good understanding of how suppliers interact with your workplace, how important they are, and which ones are most important. This can be described as a rank of criticality. If a supplier is high on this rank of criticality, we also need to understand what risks they present to our organisations

Let’s revisit defining risk. A risk is defined by ascertaining a threat (anything that can harm an asset) multiplied by vulnerability (a lack of safeguard). The initial identification of risk is no easy task but what is usually misunderstood is assigning a severity to a risk. So, for example, if we have a supplier who handles all our customer data (asset), the risk is that they become breached (through lack of safeguard), so what is the severity of the risk being realised upon our business?

Severity can be defined by using a quantitative guide called a likelihood / impact matrix; for this blog, this is what we will be using. For each organisation, impact and likelihood metrics will be different but let’s use the following as a brief example.

Likelihood can be defined using the following matrix;

The following can be used to help define impact for an organisation.

Using the above matrices, each individual asset that a supplier is providing must be assessed to gauge the severity of risk each supplier presents. Likelihood values can be ascertained by using a qualitative assessment, which is a subjective or personal view in gauging how likely a supplier is to fall victim to a cyber-attack – essentially, it’s a gut feeling. However, we can also use Supplier Evaluation Risk Management (SERM) which provides a much more accurate picture of how resilient your supplier is to a cyber-attack and any incident response preparation actions they may have taken in order to return to a BAU state.

Before we look at likelihood, let’s have a quick review of impact. Impact is a bit trickier; it’s all about considering the effect it would have on your organisation. Impacts would include consideration of any regulatory fines imposed by governing bodies, such as the ICO (EU GDPR and DPA18), PCI DSS, and if you are an Operator of Essential Services (OES) whomever your Competent Authority (CA) is. Impact would also consider items like reputational damage and remediation activities such as credit monitoring for all your customers like Equifax did after their 2018 breach.

Asset Value (AV), Single Loss Expectancy (SLE) and Annual Loss Expectancy (ALE) metrics can (and in the case of mature organisations should) be used to help guide the assessment of impact but this process can be a convoluted one, especially when you consider the fines and remediation activities, and is therefore a different blog post entirely!

Circling back to identifying likelihood values, essentially, we are asking ourselves, how likely is it that this supplier will become compromised. The SERM approach allows us to ask how seriously our suppliers take information security and gauge their responses. This is more than just a simple gut feeling, this is using industry best practices, applicable standards and almost anything else you feel is relevant to your business, incorporated into a questionnaire format and sent to your suppliers.

Depending on the rank of criticality we described earlier, matched with your organisation’s statement of information risk appetite, and even consideration of possible impact levels, suppliers can be sent a real in-depth Supplier Validation Questionnaire (SVQ). Supplier responses will be reviewed by your information security team upon return, and then followed up with prompts for evidence of policies, processes or even (where required) a visit to your suppliers’ premises to ratify responses. As you move down the rank of criticality, a lighter touch of questionnaire should be used. For instance, you wouldn’t want a stationery supplier being sent a 200 question SVQ unless you had a sufficient business requirement to do so.

As an example, Stan’s Stationery supplies your business with pens, paper, etc. Let’s give this particular supplier an impact rating of 1. As this supplier can inflict only a small amount of damage, we send Stan’s Stationery a light SVQ. The response from this supplier states that they have no information security measures in place, they have no policies or protection measures or even the slightest interest in information security. Therefore, the likelihood of their breach is almost certain - 5. We feed the impact and likelihood into the risk matrix and we get an overall risk rating of 5. See the Risk Matrix below.

This is a low impact, high probability of breach, but because we have validated the supplier, we know this for sure.

It is important to realise that incorporation of other business processes may be required- a Data Protection Impact Assessment (DPIA) springs to mind. If your SVQ response from Stan’s Stationery showed that they provide a lot more for your organisation than you first realised, in fact, it hosts your website, or processes payments as brief examples. In this case, they process high amounts of personal data and so if breached, would mean you may face the ICO and subsequently receive the fines – dependant on your contracts in place and situation surrounding the breach. You will need to carry out a DPIA on this supplier if not already done. As a result of this new information, the impact level has also changed from 1 to 4 (depending on your organisation’s information risk appetite) in this example, and a subsequent risk score of 20 (See Fig 4 – Updated Risk Matrix) – a big change up from the original score of 5. A greater understanding of their information security practices will be required, and a deeper SVQ will need to be sent and validated.

Of course, Stan’s Stationery can be replaced by any supplier- this is a high-level overview of how SERM can be used. Depending on your quantity of suppliers this may need the automating of this process, or at least employing a managed service to manage your supply chain risk. Following on from a suppliers’ response, your organisation will need to identify what actions you will take to either help them improve their information security practices and defences, or simply cease the relationship with them. This is a cost / benefit analysis and business decision of which SERM will help you best understand the real cost behind each supplier.

For further information regarding supplier risk management, more blog posts can be found here:

  1. The Domino Effect
  2. Automating SERM