Small suppliers must show security nous to protect supply chains from APTs: expert

Companies thinking their small size and relative obscurity will protect them from targeting by the authors of advanced persistent attacks (APTs) need to consider their role in larger supply chains and recognise that they are increasingly being seen as relatively insecure back doors into larger organisations, the head of BAE Systems Detica's regional cyber security operation has warned.

Noting that APTs have become “a real and credible threat,” BAE Systems Detica Asia-Pacific head of cyber security Craig Searle warned that every part of a business supply chain needs to be protected equally – or must be considered a potential conduit for attackers to find their way into the broader partner ecosystem.

“The average SME might think they are not really of interest to an APT perpetrator,” Searle told CSO Australia. “But it turns out they're actually of great interest because the cyber-criminals area ware they don't have as much security control, as much robust technology and process governance around security.”

“Hackers will always go for the weakest link.”

However small supply-chain partners feel about their security posture, many companies with extensive supply chains remain sceptical that their partners won't compromise their information security.

The recent PricewaterhouseCoopers Global State of Information Security 2014 survey, for example, found that just 34.8 per cent of Asia-Pacific businesses were 'very confident' that their partners and suppliers' information security activities are effective; by comparison, 41.9 per cent of respondents said they were only 'somewhat confident' in their partners' security.

Fully 13.8 per cent of respondents in the survey were 'not very' or 'not at all' confident in the integrity of their supply chain members' security, with a further 9.5 per cent saying they did not know.

Some 13.6 per cent or surveyed organisations believed that suppliers or business partners were the source of security incidents, with business partners and suppliers lost as a result of a security breach in 15.2 per cent of companies.

Ascertaining the source presents its own challenges, since just 52.5 per cent of respondents said they conduct compliance audits of third parties handling the personal data of customers and employees, and just 60 per cent had an accurate inventory of where personal data for customers and employees are collected, transmitted and stored.

Fully 54.8 per cent had an incident response process to report and remediate breaches to third parties that handle data, but just 26.2 per cent of Asia-Pacific respondents were implementing security baselines and/or standards for external partners/customers/suppliers/vendors in 2014.

Efforts to improve visibility will be crucial to improving the security of extended supply chains throughout the course of the year, Searle said, noting the growing importance of supplier security checks – of both people and technology – to meeting ever-tighter governance requirements.

With supplier contracts set to include “more prescriptive” right-to-audit clauses, and organisations seeking to activate them on a more regular basis, a growing number of companies “are trying to get some sense of comfort that their suppliers are actually behaving in a secure manner.”

“You want to be able to say what your security controls are,” he said, “and give those further up the chain the understanding that you have a sense of doing the right thing. But this is all about organisations understanding their information assets, where they are, and what controls they have in place.”

“If an organisation doesn't have a clear understanding of its information assets, it's very difficult for them to implement the right controls.”

Join the CSO newsletter!

Error: Please check your email address.

Tags advanced persistent threats (APTs)APTs

More about APTBAE Systems AustraliaBAE Systems DeticaCSOPricewaterhouseCoopers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place