“Managing third-party vendor cyber risk is fast becoming the defining cybersecurity challenge of our time.”

In the current corporate enterprise, any ICT supply chain is only as strong as its weakest link. Oftentimes, a supplier or customer might be the low-hanging fruit in the supply chain, an easier way inside than attacking the organization directly.

The ICT supply chain is a complex, globally interconnected ecosystem that encompasses the entire life cycle of ICT hardware, software, and managed services and a wide range of entities—including third-party vendors, suppliers, service providers, and contractors. If vulnerabilities in the ICT supply chain are exploited, the consequences can affect all users of that technology or service. For example, various governments have questioned the security of electronic products manufactured in other countries. There are also less visible threats, such as compromised libraries and website builders or compromised updates to industrial control systems.

Supply chain threats can therefore come in many guises with many degrees of separation from the business that they are targeting. Foreign adversaries, hackers, and criminals seeking to steal, compromise or alter, and destroy sensitive information can find ways into a system that seem unlikely to their victims, either because it comes from an unexpected place or from a supplier that’s so integral to their systems that they have no choice but to blindly trust them. Research from BlueVoyant annual survey of June 2020, indicates that 80% of organisations have experienced a data breach originating in their partner networks and with respondents having more than 1000 different vendors, giving a sense of the scale of the third-party cyber risk management challenge.

Jim Penrose, the COO of BlueVoyant, further notes that managing third-party vendor cyber risk is fast becoming the defining cybersecurity challenge of our time. As organizations have increased the number and variety of suppliers they work with, in the pursuit of competitive advantage, they have simultaneously exposed their enterprise network to the vulnerabilities of those partners. Put simply, the extended ecosystem is the threat.

A case in point: Pegasus breach 2020

According to the Uganda Police annual crime report for the year 2020, an incident of unauthorised access, electronic fraud and theft of approximately Ugx. 11,000,000,000 from Pegasus Technologies, Stanbic Bank, Bank of Africa, MTN Uganda and Airtel Uganda was reported between 2nd and 3rd October 2020 at Pegasus Technologies.

The breach is alleged to have started with an unspecified amount of money taken from an Online Vendor Account of the Bank of Africa by unknown persons.  This followed an anonymous phone call from a staff of Bank of Africa to Pegasus Technologies that there were payments off their account at MTN Uganda and Airtel Uganda which they had not originated from the bank. Pegasus Technologies checked and established that they had not initiated the transactions either. Since then, a total of 9 suspects were arrested, charged to court and investigations continue.

So, how do our B2B interactions change our approach to cybersecurity?

The NIST Cyber Supply Chain Risk Management (C-SCRM) program recommends that managing cyber supply chain risks require ensuring the integrity, security, quality and resilience of the supply chain and its products and services. Cyber supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the cyber supply chain.

The Cybersecurity & Infrastructure Security Agency (CISA) gives these essential steps to assist your organization in managing supply chain risks and building an effective SCRM practice:

1. Identify the people: Build and ensure a well-trained cyber-conscious team of representatives from various roles and functions of the company including IT, physical security, procurement/acquisition, legal, logistics, marketing, and product development among others.
2. Manage the security and compliance: Document a set of policies and procedures, based on industry standards and best practices, that address security, integrity, resilience, and quality of supply chain activities. These can include ISO 27000 standards, NIST Special Publication 800-161, and PCI DSS.
3. Assess the components: Build a list of critical ICT components and internal systems (e.g., hardware, software, and services) that must be protected to prevent unauthorized access.
4. Know the supply chain and suppliers: Identify your suppliers and, when possible, the suppliers’ sources. You may have to include employees and contractors working from home as you need to manage their behaviour off the company premises to avoid them propagating a cyber breach.
5. Verify assurance of third parties: Verify that your suppliers maintain an adequate security culture and SCRM program to appropriately address the risks that concern your organization. The suppliers will be periodically subject to IT audits and penetration tests to assess their security posture and risk exposure.
6. Evaluate your SCRM program: Determine the frequency with which to review your SCRM program, incorporate feedback, and make changes to your risk management program.