This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Supplier security: Manage the cyber security risks of supply chains

Feature
Share:
Supplier security: Manage the cyber security risks of supply chains

By

Inter-firm collaboration is required to manage the cyber security risks created by supply chains, says Phil Huggins

Heightened client expectations, coupled with the pressure to cut costs, have forced fundamental change in the legal sector. In response, countless law firms have created a greater focus on their core business, while partnering with legal process outsourcing providers. From admin and IT support to accounts payable and legal services, firms are placing a high level of trust in external suppliers. As a result, the strategic importance of the legal market's supply chain - the external ecosystem that underpins the operation of every organisation and its resilience - must be moved up the agenda of law firm management.

Outsourcing, partnering and joint ventures introduce greater systemic risk to both individual firms and industry sectors as a whole. While it was previously possible to view the supply chain
as distinct, separate and often subservient to the business,
supply-chain partners have become part of an extended enterprise. Financial and governance boundaries exist within the extended enterprise, but there must be shared goals and benefits
across these boundaries to drive successful delivery of
business objectives.

Supply chain risks

Recent high-profile cyber breaches have highlighted that determined attackers are actively and successfully exploiting the risks inherent in trusting the extended enterprise. Law firms form trusted relationships quickly with clients, suppliers and other third parties and are wary of upsetting existing commercial relationships when the cyber threat environment changes, as it regularly does. As a result, supply chains have repeatedly proved to
be the weak link in cyber security.

The changes in the scale and targeting of cyber attacks over the past ten years, the industrialisation of attacks, the aggression of attackers and the lack of law enforcement response to cross-border cyber attacks, require new approaches to protect businesses connected to the internet. It's time for a re-evaluation of
how cyber supply-chain risks are managed.

Law firms sit at a key nexus of cyber supply-chain risk management and are seen as attractive targets for attackers. This is because of their privileged and trusted access to confidential client data, their role in establishing supply-chain relationships and their involvement in setting the tone for the extended enterprise through the negotiation and preparation
of commercial contracts.

The cyber risks facing law firms, therefore, are significant, with a breach having the potential to cause:

  • extensive damage to professional reputations and clients' trust;

  • high financial costs; and

  • the tying up of a large number of otherwise billable hours in resolving
    a breach.

Current practice

The earlier use of the Statement on Auditing Standards (SAS) No. 70 (SAS70) and the more recent Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (SSAE16) to provide consistent and independent assurance across sectors and supply chains, have not met the needs of cyber security.

This problem has been due, in large part, to the wide variety of control definitions between each organisation in the supply chain. There is a widespread 'not invented here' attitude in cyber security, which contributes to this problem.

The UK government has attempted to address this issue by defining a baseline of cyber security standards within the Cyber Essentials certification scheme. The scheme, which was mandated for the government's own supply chain late in 2014, independently verifies that an organisation is completing some basic cyber hygiene measures.

At present, it is common for businesses, including law firms, to either undertake no active assurance of their suppliers or to extend their own concepts of IT security compliance to external organisations via contractually-mandated third-party assurance activities. This often results in internally-developed policies and control definitions being used as yardsticks to ascertain how closely each supplier meets those targets.

However, there are a number of issues and flaws with this approach.

  • It is rare for a business to fully engage with an external review and to identify opportunities to improve. Instead, it is much more common for every opportunity to be taken to demonstrate notional compliance in order to limit the costs of externally-imposed remedial work. The end result is that confidence in the veracity and completeness of third-party assurance returns is low.

  • The controls and policies designed for one organisation reflect the threats, risks, risk appetite and capabilities of that organisation. While similarities may exist, these are unlikely to be exactly the same across the supply chain. For example, the policies and controls designed for a law firm with highly independent and intelligent mobile professionals is unlikely to be the same as (and almost certainly ought not be the same as) the policies and controls designed for a large global bank.

  • Many businesses expect a level of controls and policy compliance from their suppliers that they only aspire to internally but have so far failed to embrace. This can lead to reduced trust in the business relationship,
    if exposed.

  • Larger organisations within a supply chain often have mature cyber security capabilities and resist changing that to meet external customer requirements. Conversely, the smaller organisations within a supply chain rarely have access to the funding or, critically, the skills needed to effectively deliver the cyber security requirements placed on them.

  • A compliance-led approach to cyber security is not enough to manage the threats presented by the rise in highly capable and determined adversaries. To address such risks, the focus should turn to risk-informed resilience, detection and response, rather than reliance on protection and prevention alone.

  • Every organisation in the supply chain assesses and is assessed by every other organisation. This creates an expensive and distracting industry of rolling security controls assessments, with each organisation addressing
    the same risks in a different manner.

In one example, the treasury function of one business relied on the treasury teams of suppliers to re-run previous days' transactions, in the event of systems failure, allowing them to recover IT and reconcile errors later. However, with multiple supply-chain participants using the same cloud provider, in the event of an attack, this resulted in a significant number of transactions not being run across the supply chain for several days or even weeks.

Supply chain risk management is increasingly concerned with engagement, collaboration and alignment, focusing on identifying shared goals and objectives and using contracts to incentivise suppliers and reduce divergence in these goals, rather than to enforce unwanted requirements.

Internal cyber security is similarly moving towards a collaborative, intelligence-driven approach, with a
focus on preparation and training to deal with breaches, widely regarded as inevitable. This is driving the development of information-sharing forums within different sectors, already a common practice for many years at the larger end
of the financial services sector.

New approaches

It is clear that a new, more collaborative and shared approach is needed to manage supply-chain cyber risks in the legal services sector, rather than treating the supply chain as an external source of risk.

The first step is to identify existing information-sharing relationships and to invest time and money and, most importantly, trust in developing these further. It is crucial to measure the value of such forums to the wider extended ecosystem, rather than the value of participation specifically to your own firm. Larger players in the supply chain will have greater visibility and greater capability
to contribute than the smaller players.

A second step is to work towards identifying a definition of common controls
or standards, upon which multiple participants in the supply chain can agree. There are several options available, with the Council on Cyber Security Critical Security Controls a good contender for larger organisations, the IASME standard useful for small and medium-sized businesses and the Cyber Essentials scheme an alternative for smaller organisations.

The Law Society of England & Wales,
in partnership with the UK government and the ICAEW, also provides a free one-hour online training course on cyber security, aimed at improving the security of both lawyers and accountants as key players in UK PLC supply chains.1

If consensus can be reached, not only with suppliers but also competitors, the ability to compare like-for-like across the supply chain will be improved. This has been done in the defence sector, where a number of large contractors spearheaded the development of the Exostar platform, which has produced a common set of third-party assurance requirements and questionnaires. More recently, Exostar has been rolled out to other industries.

A new approach to cyber security regulation for regulated banks has also been developed in New York's financial services sector.2 This includes an increased focus on cyber-security due diligence of third-party service providers, including law firms and accountants. The approach echoes similar calls by the Prudential Regulation Authority and the Financial Conduct Authority in 2014 targeted at regulated financial services organisations in the UK.

A key step is to look for opportunities to reward supply-chain participants for information sharing, good hygiene and transparency, rather than punishing non-compliance. Although a contract needs to be put in place to safeguard minimum standards, the key priority should be alignment and engagement. The fear of sharing needs to be dispelled; this can be done by focusing on proving intentions
and building trusted relationships.

Finally, those firms and supply-chain partners with mature cyber security capabilities, such as security operation centres, incident response teams, security architecture practices, risk analysts and security testing teams, should consider moving beyond information sharing to capability sharing. Experience has shown that this helps to improve coverage, efficiency and response times across the supply chain.

The approach is particularly effective at the smaller end of the supply chain. Having a great capability internally is of limited value if you rely on a business partner that has only one or two non-specialist security staff. By using the security operations centre of an individual law firm or supplier to provide services to the wider supply chain, a data breach in the extended enterprise may
be detected much earlier. As a result,
it is much less likely that the business continuity plan may have to be invoked
due to a supplier failing to deliver part of
a business processes.

Boosting resilience

Managing partners should consider collaboration and information sharing,
both across the industry and with clients,
to move cyber defence from an issue that
is just 'thrown over the fence' at each other to an issue that is addressed in a mature
and cost-effective manner.

Firms should prepare for when large clients, such as global banks, start raising their requirements for compliance through background checks and audits, underpinned by a greater focus on outcome-focused cyber activities. Similarly, practices focusing on commercial contracts in supply chains should ensure that cyber security is fully covered, not just as a compliance issue.

Managing cyber security risk in the supply chain is not a zero-sum game. It is a risk that is too important for firms to ignore and steps should be taken now to better understand how investments in cyber security may be harnessed to boost the resilience of all supply chains.

 


Tools to increase the cyber resilience of supply chains

  • Questionnaires and contracts

  • Information sharing

  • Incentives and engagement

  • Capability sharing



 

Phil Huggins is vice president of security science at Stroz Friedberg, an investigations, intelligence and risk management company (www.strozfriedberg.com)
 

References

  1. See https://cpdcentre.lawsociety.org.uk/course/6707/cyber-security-for-legal-and-accountancy-professionals

  2. See https://www.dfs.ny.gov/banking/bil-2014-10-10_cyber_security.pdf