Supply chain security: what could possibly go wrong?

Read time 4min 00sec
Steve Jump, head of corporate information and security governance at Telkom.
Steve Jump, head of corporate information and security governance at Telkom.

Knowing which third parties within a business’ supply chain are connected to the network is critical. In an interconnected world, third party partners are also part of the business model.

So said Steve Jump, head of corporate information and security governance at Telkom, who spoke at the recent ITWeb Security Summit 2019. He said an organisation does not have sole possession of all its information; it’s also in the hands of third party suppliers, because most organisations outsource certain functions.

“One important question we need to ask when partnering with suppliers is: what can possibly go wrong? Because I can guarantee you, those in procurement who said it can be done cheaper and outsourced the work, never bothered to ask that question.”

When dealing with cyber security, Jump said, businesses must adhere to certain standards that might not be met by a third party supplier. “We have our security controls in place protecting us, and when integrating a third party onto the network, they, in all likelihood, have their own security setup, which is probably different from your company’s.”

It’s key that the person responsible for cyber security in a company talks to the procurement team.

Because many third party contracts are merely a purchase order, Jump said it’s key that the person responsible for cyber security in a company talks to the procurement team. “Make them aware of the importance of ensuring all third party connections are cleared through the IT security team, and that a contract is obtained whereby the third party stipulates it has the necessary cyber security in place.

“The banking sector has a good legal framework that holds them accountable if they fail to get assurance of the security of a third party link. If they don’t, they can lose their banking licence. The rest of us are not any closer to catching up with the financial sector in this regard.”

According to Jump, one way of ensuring third party partners are up to scratch with security protocols is to push them for security certifications. “It should be stated in their contract that they provide proof, which should be provided on a quarterly basis,” he added.

“The IT department should also be involved in all processes, because they are responsible for all connections into your server.

“All the relevant credentials used by a third party should fall under the IT department as they will have oversight on all those tapping into the company’s server. Plus, they should also be responsible for ensuring that internal cyber defences are able to protect against potential cyber threats coming from outside.

“In understanding your supply chain, make sure all contracts meet your business and security needs. The reality is, that contract is probably going to be quite valuable to your business as it allows you to get the money back after a cyber attack, if it’s proven they were the weak link.”

So what could go wrong?

Jump highlighted two examples where companies did not ask the question.

  • Target Corporation is the eighth largest retailer in the US and utilised a vast number of service providers. One of these provided air-conditioning services in all of its stores. Target allowed this service provider to plug its control systems into Target’s corporate network - the same system that ran Target’s billing system, it’s ordering systems, and every part of its point-of-sale. An attacker got his hands on the service provider’s access credentials, logged on to Target’s control system and installed malware. The Web site at the time did not require a secure password; all that was needed was the company’s URL to gain access. The retail chain had never asked its service provider to provide any level of security.
  • Merck Sharp & Dohme (MSD), which manufactures and distributes pharmaceuticals, has 100 different manufacturing industries connected into its pharmaceutical business. One of these factories went down with the NotPetya cyber attack. This then spread through MSD’s networks, which did not have firewalls or IPSes between them. It took about three weeks to get this sorted out, during which time the company lost about $350 million in scrapped production. When it comes to drug production, the entire production line needs to be completely flushed and started from scratch. It’s estimated that the profits on those products would have been $1 billion.
See also