Cloud Hopper Impact: Supply Chain Management & Procurement
23 June 2017
In a rapidly evolving world of threats, Operation Cloud Hopper has highlighted that information security is not only an IT priority, but also an increasing focus area within procurement and supply chain management, with hackers starting to exploit the supply chain to gain access to their customers’ organisations.
As organisations continue to engage a broad range of suppliers and exchange high volumes of (often) commercially sensitive or regulated data as part of routine business as usual, the risks associated with doing so have received increasing attention in recent years. Indeed, our recent Global State of Information Security Survey shows that there has been a rise in security incidents attributed to third parties in the past year.
However, the increasing trend of third parties being granted access to client systems or infrastructure (and therefore data) has received less scrutiny, despite this being an area of often more significant risk. In fact, the findings from Operation Cloud Hopper highlighted the very real existence of how client-supplier technology integration, especially in areas of managed service or other IT outsourcing, has expanded the attack surface for hackers, potentially providing additional avenues through which they can get access to data.
So how exposed is your organisation to an information security breach through one of your third parties?
There are several questions to consider:
- Are your information security requirements adequately outlined in your contract with them? Can you hold them liable for any breaches?
- Are you clear on what those requirements should be? What security controls do you expect your Managed Service Providers (MSPs) to have in place to safeguard your systems and data? And what controls should you have in place to control and segregate their access?
- Assuming your contracts are robust, to what extent are you holding those MSPs to account? How are you managing your relationship with them? Are you confident they are complying with the requirements that you have set?
- Are those requirements up to date? Has the scope of the service or the access to data and/or systems changed since the contract was first signed, and are the requirements therefore still appropriate?
- What processes do you have in place, if you decide to end your relationship with the MSP, to ensure your confidential data is returned to you or adequately destroyed, and all system access is revoked?
And it’s not just your IT MSPs that need consideration. Many other third parties will also have access to your data and systems – have you got a clear view of who has access to what?
Key to developing the right strategies to manage and mitigate any issues, is understanding the nature and extent of your third party application permissions, interfaces and the associated risks - although this is often no easy task thanks to the technical complexity, breadth and volume of most third party interactions. The focus should be upon establishing an efficient, scalable and repeatable approach to managing information security across the supply chain, making sure the right specialists are involved at the right time, early enough in the engagement, and looking not just at technical aspects, but how your suppliers behave and comply with agreed contractual obligations.