Supply chains are unavoidable – advice businesses rely on a wide range of platforms and suppliers to protect their clients’ information. But they can create vulnerabilities. One of the top cyber threats facing UK businesses comes from supply chain risk.
According to a government report just over 1 in 10 businesses say they review risks posed by their immediate suppliers. Gartner predicts that by 2025, 45% of businesses will have experienced attacks on their software supply chains, with cyber criminals increasingly targeting suppliers to gain access to their customers.
Last year, Capita suffered an attack that caused data breaches for over 90 businesses, including Aviva, Royal London and the Pension Regulators. A bug in file transfer tool, MOVEIt, affected at least 122 organisations, including Ernst and Young, BBC, Shell and British Airways.
As the financial services industry continues to digitalise, more advisers are looking to partner with suppliers, widening the potential attack surface. Here are six smart steps you can take to reduce your exposure to cyber-attacks.
1. Assess your suppliers' risk profiles
Create an inventory of your suppliers, identifying those key to your business operations (e.g. suppliers that store or handle your customers’ confidential information).
2. Initial and ongoing due diligence
Before onboarding any supplier, carry out due diligence (especially on key and high-risk suppliers) and repeat it every 12 months. Make sure you have a set of questions to ask your suppliers so you can be confident of identifying any new weaknesses or risks to security controls, or spot evolving threats since the previous review.
Security scorecard suggest these top 10 cyber security questions to ask your vendors or you can use the National Cyber Security Centre supplier questions to get started.
3. Prioritise suppliers that focus on security
Focus on suppliers who can demonstrate their cyber security and resilience controls. Remember, cyber security will vary depending on the size and maturity of the organisation. Controls like these are signs of a mature security program:
- Alignment or certification to security standards like ISO 27001, NIST Cyberframework or SOC2.
- Having a dedicated role for information security.
- Information security policies that apply to all staff, contractors, etc.
- Security awareness training during onboarding, and then repeated annually.
- Layered security controls to prevent constantly evolving threats (patch management, data loss prevention tools, vulnerability management, password managers, end point protection).
- Incident response process and plans in place.
- Using and offering multifactor authentication (MFA) or Single Sign On (SSO).
- Annual independent security assessments of their network and service.
- Regularly reviewing privileged access rights.
- Vetting new employees.
4. Create contractual clauses
Consider adding clauses to your contracts with suppliers relating to cyber security – they can be added into the process during onboarding or at your annual reviews, and could include:
- Obligations to their security policies and procedures.
- Timeframes for notifying you of a security incident or data breach.
- The right to audit where there has been a security incident or external report with adverse findings.
5. Monitor suppliers' access to your assets or data
Giving a supplier remote access to your network or systems can increase the chance of an attacker accessing your assets and data. To reduce this risk, you should:
- Consider if the level of access granted to the supplier is appropriate or can be restricted (e.g. giving the least privileged access possible).
- Use named accounts only - shared accounts make it harder to spot anomalies, giving attackers more opportunity.
- Ensure you're notified when the third party no longer needs access (e.g. employees have changed roles or left the business) to make sure you aren't left with active but redundant accounts.
- Make additional account security mandatory for third party accounts (e.g. MFA or SSO).
6. Offboarding suppliers
When your relationship ends with a supplier, make sure you regain control of your assets, shutting down any access to your information or systems, and ensuring the supplier securely disposes of your data.
Careful vetting and monitoring of your suppliers and platform providers will give you a better understanding of their security and resilience, as well as confidence that you’re taking crucial steps in reducing the chances of a cyber breach.
Remember to keep records of your due diligence and monitoring, as this may be requested by the regulator should an incident occur.
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.
Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.
