Data breaches and hacking.
Hackers have become the new criminals in our world, and as crime on the streets continues to be an issue for communities, the world leaders focus on the threat to the very lines of communication that we use and the slapdash way many use them.
Never before have so few been able to affect so many. With hacks happening every minute of every day, it’s now not a case of if you’ll be affected, but when.
The weakest link
You can protect against malware; you can run tools that filter spam, you can protect your smartphone, your laptops, and your servers… But there’s a part of your process that has a gaping hole in its vulnerability. It’s in every single company, business, and organisation and it always will be.
It turns out that we, the people under threat, are the biggest threat to our security but we’re also the weakest link in the chain too. Most hacks happen when someone who isn’t trained to a high enough standard makes an error.
Email phishing is still a genuine threat because it’s so simple to create content that fools and manipulates and sharing malware become very easy and straightforward to do. Hackers don’t try to find the vulnerable and trick just them – now they try to trick everyone!
Why are hackers after our data?It’s all very well for us to tell you that you need to secure your data, but why are the hackers after your data in the first place? What can they do with all those emails and passwords? Sure, it’s a difficult time for you when you suffer a breach, but is it really a problem? There are three main reasons we can see that a hacker will try to get into your systems, and these are:
- Data ransom
- Identity theft
- Stealing infrastructure
Data ransom is where a hacker will steal data and then blackmail the owner of the data into having it back. This can come in the form of a device takeover right up to taking over entire systems much like the NHS hack in 2017 where an old version of Windows that wasn’t supported by Microsoft left the perfect way in for hackers; who in turn took down the NHS for a while.
In the hack, the NHS systems were infected with the ‘Wanna Decryptor’ which is a piece of malicious software that encrypts files and then blocks you from viewing them. The hackers then threaten to delete them unless you pay.
Identity theft might seem like a strange use of data but when you consider that hackers could use your data to create a profile and then use it in under nine minutes, you can start to see that your identity could be used to apply for loans, credit cards, and then used for down payments on large items before you’re even aware your data has been used.
Many will never realise that their identity has been used at all. Identity theft is likely to be the reason behind the recent Facebook incident, where millions of users had their data compromised in the Cambridge Analytica breach.
Stealing infrastructure is a less-talked-about form of hacking. The activity of storing files and apps on someone else computer is a way to avoid storing large amounts of data yourself and thus saves vast sums of money. The risk here is clear: how do you know they’re there, and how do you know the data stored is not infected?
Most data stolen is then sold on the dark web, and the transactions take place with cryptocurrency, which is mostly untrackable and therefore keeps the cybercriminals untraceable.
You’ll find most people don’t even know about the dark web, let along how to find it!
Why Supplier Assurance is Essential
In this report, we want to show you why and how the people you work with, your suppliers and contractors, are now one of those threats to your security and your reputation.
- We’re going to layout the threat they pose
- Share some huge cases where suppliers caused significant problems to global companies
- How you can do everything possible to avoid being the next news story
We’re facing an increasing need to introduce supplier assurance programmes to reduce the risks associated with essential supplier relationships. Our companies grow with suppliers and links with companies who add value, provide essential services, and help us give the best we can give.
But they need onboarding correctly to make sure that you’re not a hack waiting to happen.
Now is the time to look at a more considered risk-centric approach to supplier assurance
In the past, risk management surrounding data and systems wasn’t built into the business model or strategy. It was carried out as a nice-to-have, it was effective in some cases, but not most of the time. It wasn’t effective because it was rarely executed correctly, so it didn’t stop breaches or data hacks.
In the past, it wasn’t okay to deal with suppliers like this, and it certainly isn’t now.
Sharing information with suppliers is essential for the supply chain to function, yet it also creates risk, a risk that’s rising and becoming a global threat to the very core of our world and business.
Ironically (and rather scarily) of all the supply chain risks, information risk is the most under-managed. Maybe this is why it’s on the rise so much? Perhaps it’s because of the sheer volume of data you could reach and problems you could cause.
Nowadays, organisations understand (or at least are starting to understand) that risk management of information should be one of the core components of any business strategy.
We believe that supplier assurance should follow a similar trend. Therefore, organisations need to build supplier risk management from the start.
What is supplier assurance?
Supplier assurance is an approach to managing supplier risk that should be built into the company cybersecurity processes.
Supplier assurance sets out a plan and strategy to help a company onboard and manage their network of suppliers to make sure they’re running their business or company and the systems within it at the same high standard as you.
Remember that weak link in cybersecurity? That’s your supplier, and without good supplier assurance, they will continue to be.
Managing the risk in the supply chain in any company with supplier assurance built into the very core of the infrastructure and strategy of the business or company is the only way to make a big step towards eradicating this threat to your data and your reputation.
Passive supplier risk management is not sufficient. The focus should be on active risk management and a system that works with the suppliers throughout their work and contract, not just as a point in time or during the onboarding.
What are the main drivers for re-thinking supplier risk management?
Supplier assurance is certainly not new, but the way we need to approach it is. There have been some recent drivers to look at suppliers and the supply chain that will not only help companies to question whom they work with and how, but the customers of those companies are now more aware of the risks too.
Here are some of the driving factors:
Regulatory focus – Fines and condemnation will become increasingly commonplace, and the GDPR will further drive the regulatory compliance pressure. Since the GDPR was introduced in May 2018, there have been some very big names held up and shown to the world as companies with an approach to data that was a little less than responsible.
Even before the GDPR came into power, the ICO issued Facebook with the maximum possible fine (£500,000) for their breach that caused the Cambridge Analytica scandal and since then organisations and companies including the Central Hospital of Barreiro Montijo and Marriot International have all been found in violation and been duly reported in the global media for it.
Due Diligence – larger organisations now understand the importance of assessing supplier risks. Business partners may state that third-party assurance is a prerequisite of working together.
There’s now more awareness than ever before that our data is under attack and that the people we work alongside are a risk to our systems.
It’s not always a supplier, though…
As the tradition of company buyouts morphs into software buyouts, some problems come along as software companies and their apps and systems are integrated into companies. This recently happened to sportswear company Under Armour when their app MyFitnessPal (which was acquired by them in 2015 for $475m) caused a huge breach in user data.
The emergence of new and disruptive technologies introduces new risks. With the adoption of cloud and other digital IT solutions, we’re all on board with the connected world and if we may say so, a little blasé about our data and security. Users prefer convenience over security with easy to remember passwords or continuously logged in apps and programs.
The cloud brings with it new opportunities not only for companies and customers alike but also for the cybercriminals. The cloud is hackable and also susceptible to breaches like any other server, and the hackers (as companies get to grips with this relatively new and exciting link in our systems) are moving quickly to catch us out.
What’s really at risk here?
The risk of cybercrime is genuine, and as we’ve shown above, it’s not a small risk and certainly not a chance you should take. The problems that can occur through a breach or attack carry on far longer than the initial costs and headlines too.
Without a proper process and plan in place, most companies will be put into a spin by a data breach as they struggle to work out what’s happened, what caused it, what they need to do now and in the future.
Playing detective on your data breach is costly. Without a strategy, much like the one you’ll have in place for your fire risk assessment, you won’t know what to do when you have a breach or cyberattack. A strategy is essential for you to be able to act fast and in the right way and focused in the right areas.
What’s at risk without good supplier assurance?
Here are the main areas that are at risk when you don’t onboard, audit, or continually monitor your supply chain:
- Company (personal and sensitive) data
- Competitive advantage
Company (personal and sensitive) data
The obvious one and the main headline grabber is the personal information of your customers and clients. Names, email addresses, passwords and other data are the lifeblood of the cybercriminal, and one that you’ll be well aware is something you have, and they want.
Moving more to your company, another large area for concern for a large company are the business processes that are stored in your system. What are you allowing hackers to see? What could we find out about you right now if we had access to your cloud and servers?
Employees’ data is also at risk as this will all be stored online, on your servers, and your systems. Aside from losing faith with your customers, what would happen if your employees found out that a breach you’d suffered left them open to identity theft or worse? How would that affect your business?
Moving on from your systems, what about those secret plans and mergers? The confidential emails, the highly sensitive documents and data you hold with partners and shareholders? What could happen if those were to fall into the wrong hands or how much would you be willing to/have to pay to get them back?
Financial data is now online more than ever, and with the introduction of Making Tax Digital, all VAT registered companies are now submitting tax to HMRC online. This means your finances are online and thus open to attack.
Business plans and new products are going to be stored on your clouds and servers, and there are plenty of people and companies out there who would be very interested in finding out what those are. This is precisely the type of data that would be on the dark web in hours and up for a hefty sum for the cybercriminals. It’s too much temptation for many-a-hacker.
Hefty fines are the headline go-to for the media, but they are a real threat. Since the GDPR was introduced, there have been fines issued, and although low, companies like Google and Facebook have suffered fines and then, of course, drops in customer confidence.
One of the problems seems to be that many data controllers use third-party data processors in their processes, and this isn’t picked up due to lack of supplier assurance.
One single bad headline can wipe millions off the stock price. In the recent Under Armour/MyFitnessPal breach, the stocks fell 3.8% overnight; showing a real-world financial effect from a lack of confidence in the markets.
What can you do to avoid becoming the next data breach headline?The weakest link of your infrastructure will always be the human element. You can put firewalls and filters and encryption in place, but a human is usually the one part of the process that allows the virus, malware, or hackers in. Avoiding data breaches and hacks in your supply chain:
- Supplier assurance
- Build a scalable third-party governance framework
- Ensure supplier risk management is built into the cybersecurity
- Focus on the full lifecycle of supplier management
OmniCyberSecurity can help
OmniCyber has established a robust and scalable third-party governance framework and delivery model that enables you to put a secure third-party agreement in place. When you onboard a supplier and add them to your supply chain, you can bring them up to your level of compliance and then keep them there with regular checks and audits.
One key area of focus is the need to ensure that supplier risk management is now built into your cybersecurity strategy, just like it is for your enterprise risk management. It’s not a bolt-on, it’s not a bonus – it’s an essential 21st Century business process.
Focus the full lifecycle of supplier management from the onboarding to on-going assessment and then the offboarding too. It’s not enough to check once, and it’s negligent to only focus on one part of the lifecycle of your suppliers. There will be many touchpoints and ample chances for them (and hackers) to expose you and your systems. A full cycle approach should be embedded in your cybersecurity.
Where do you go now?
At Omni, will work with clients to identify the critical elements of the third-party lifecycle that are most important to you. We understand your supplier risk profiles as we’re deeply involved in the cybersecurity world and take a keen and in-depth interest in every single avenue of change and risk. We’ll implement a framework for on-going assurance and undertake your risk based on third-party supplier reviews.
Importantly, we will create a clearly defined methodology and a consistent and transparent approach to your suppliers and their role in your supply chain, which allows a more simplified stakeholder and third-party engagement.
It’s a flexible approach that adapts to and accommodates for changes in legislation or the global threat to our civilisation, organisations, and our companies.
Cybercrime being a threat should not be a surprise to most companies, the weak link being the human should not be either, but more and more we’re seeing an apathetic approach to suppliers who unwittingly bring a weak link to a well-oiled chain.
Don’t risk it – get your suppliers into your business in a safe a secure way with a good supplier assurance process that’s built right into your cybersecurity process.
You can contact us at Omni Cyber Security on 0121 7092526 or contact us here.