Companies thinking their small size and relative obscurity will protect them from targeting by the authors of advanced persistent attacks (APTs) need to consider their role in larger supply chains and recognise that they are increasingly being seen as relatively insecure back doors into larger organisations, the head of BAE Systems Detica's regional cyber security operation has warned.
Noting that APTs have become “a real and credible threat,” BAE Systems Detica Asia-Pacific head of cyber security Craig Searle warned that every part of a business supply chain needs to be protected equally – or must be considered a potential conduit for attackers to find their way into the broader partner ecosystem.
“The average SME might think they are not really of interest to an APT perpetrator,” Searle told CSO Australia. “But it turns out they're actually of great interest because the cyber-criminals area ware they don't have as much security control, as much robust technology and process governance around security.”
“Hackers will always go for the weakest link.”
However small supply-chain partners feel about their security posture, many companies with extensive supply chains remain sceptical that their partners won't compromise their information security.
The recent PricewaterhouseCoopers Global State of Information Security 2014 survey, for example, found that just 34.8 per cent of Asia-Pacific businesses were 'very confident' that their partners and suppliers' information security activities are effective; by comparison, 41.9 per cent of respondents said they were only 'somewhat confident' in their partners' security.
Fully 13.8 per cent of respondents in the survey were 'not very' or 'not at all' confident in the integrity of their supply chain members' security, with a further 9.5 per cent saying they did not know.
Some 13.6 per cent or surveyed organisations believed that suppliers or business partners were the source of security incidents, with business partners and suppliers lost as a result of a security breach in 15.2 per cent of companies.
Ascertaining the source presents its own challenges, since just 52.5 per cent of respondents said they conduct compliance audits of third parties handling the personal data of customers and employees, and just 60 per cent had an accurate inventory of where personal data for customers and employees are collected, transmitted and stored.
Fully 54.8 per cent had an incident response process to report and remediate breaches to third parties that handle data, but just 26.2 per cent of Asia-Pacific respondents were implementing security baselines and/or standards for external partners/customers/suppliers/vendors in 2014.
Efforts to improve visibility will be crucial to improving the security of extended supply chains throughout the course of the year, Searle said, noting the growing importance of supplier security checks – of both people and technology – to meeting ever-tighter governance requirements.
With supplier contracts set to include “more prescriptive” right-to-audit clauses, and organisations seeking to activate them on a more regular basis, a growing number of companies “are trying to get some sense of comfort that their suppliers are actually behaving in a secure manner.”
“You want to be able to say what your security controls are,” he said, “and give those further up the chain the understanding that you have a sense of doing the right thing. But this is all about organisations understanding their information assets, where they are, and what controls they have in place.”
“If an organisation doesn't have a clear understanding of its information assets, it's very difficult for them to implement the right controls.”