International supply chain hardening projects can be an immense undertaking for an organisation. Through experience, observation and participation, there are key factors for success as well as the need for flexibility and appropriate resourcing for the exercise.
Cyjax has recently published a white paper detailing an example of an international supply chain hardening project which was carried out in a large organisation.
It is important to note that Cyjax was not involved in the project in any way. The paper serves as a analysis of the difficulties which may be encountered by companies attempting to enhance their cyber-security strategies through assessing the strengths and weaknesses of the policies and practices implemented by their supply chain partners.
The main findings of the project can be summed up in the following way:
- Organisations are unlikely to understand or be able to identify the full scope or scale of their supply chain.
- Effective communication within the organisation is essential to ensure everyone knows the meaning and intent of the project. If there is minimal understanding, key business relationships can be damaged. Support for the aims of the project is vital from all concerned.
- Openness, patience and accountability are essential requirements.
- The project will require a formal charter and deliverables along with a timeline and appropriate resources, especially business analysts, procurement specialists and, when required, IT resources such as technical experts and system architects.
The organisation in this case study embraced a supply chain hardening project to address key business risks and gain visibility and understanding of all the “parts” which allow it to function.
The goal of the exercise was to construct a cyber risk profile for each partner organisation, and to assess the potential impact of a data breach of that vendor, contractor, service provider or manufacturer: in short, an entire analysis of the amount and type of information that supplier collected or processed.
The format of this data gathering exercise consisted of a short assessment, which contained multiple choice answers as well as some room for additional detail. The assessment forms were then scored and given an overall Risk Profile ranging from Very Low to Very High.
Although this data dump approach would result in a comprehensive view of the supply chain, a great deal of time and effort was wasted in pursuing information from partners that would prove to be very low risk, easily replaceable with an alternative, and generic in nature as to the services provided.
Unsurprisingly, the dynamic nature of the supply chain contained several third-party dependency relationships which impacted the data collection effort and demanded scrutiny of even more partner organisations. The project scope quickly expanded from the initial target of 12,000 assessments to 24,000 once the data had been examined: additional resources were then obviously required.
Another perhaps fatal flaw in the project was its reliance on mass email communication, which proved to be both a data management challenge and data integrity issue. A significant number of assessments from entities the team had not contacted were received, demonstrating that in many cases contacts within the supply chain were forwarding these assessments – most notably the Cyber Risk Profile assessment – to other regional branches or even sister organisations.
Instead, the project came to be viewed by the organisation as a distraction to daily operations and staff productivity. Further, it became apparent that the procurement team and contract management had no real idea of who they were truly dependent on. Eventually, the customer informed us that their supply chain consisted of more than 150,000 business relationships.
All projects require stakeholder buy-in for them to be effective. This extends from the highest levels of executive leadership down to the department heads, team leaders and finally members of staff involved. The project’s revelations made the organisation feel uncomfortable as the subtext of the data gathered could be interpreted as “poor performance” on the part of the managers and teams. This situation quickly descended into acrimony, delays and accusations of the project being “a waste of time and money”.
Problems relating to efficiently gathering assessment data into a manageable format also quickly surfaced. Although the project team had selected a SaaS platform to manage the assessment effort – which the organisation had internally vetted and deemed secure for processing the cyber risk profiles – some suppliers with different regulations, levels of risk or internal policy requirements were not comfortable putting sensitive and potentially sensitive data into a third-party tool they had little knowledge of. The result was the data had to be entered into Excel spread sheets, abandoning any hope of automation and efficiency.
Externally, the aims of the project were thwarted by the supply chain entities themselves. As the team sent out more assessments to the contacts, the information they received from the procurement teams and contract managers – without prior communication about the data-gathering – resulted in the suppliers unsurprisingly acting against them. Many of the team’s assessments were reported as Spam or Phishing attempts by partners, demonstrating that the organisation had not effectively communicated the project’s goals to their own supply chain partners. Over time, this spam issue appeared to ease, but it never fully went away.
With nearly no third-party way to verify any of the cybersecurity information received from the supply chain entities, the data collection effort may have been doomed from the start. The major concern was the degree of honesty with which the supply chain organisations would fill out the assessments. Most of the criteria were “self-assessment” in the form. In addition, the assessments themselves were sent to contacts within the supply chain from the contract managers and procurement team’s database. These individuals would most likely not have had much insight into the cyber-security practices, policies and procedures the project team wanted to gather information about, although it was requested they pass the form on to a relevant party who had either the knowledge and/or the authority to provide the answers.
It was evident – as far as the project team could tell – that honesty was not so much the issue; rather the focus was on competence and understanding of what had been asked for in the assessment. This was especially true when it came to the technical security questions. Some businesses within the supply chain had no understanding of what was being asked of them, such as the implementation of a requirement of whitelisting applications and sandboxing capabilities of anti-virus solutions.
Supply chain hardening projects are a huge challenge, especially for global organisations with thousands or tens of thousands of suppliers. Poor practices in data management can make such an exercise nearly impossible, taint any data gathered and cause distress internally and externally with supply chain partners.
Projects such as these can collapse for a verity of reasons, ranging from project scope creep through to the politically sensitive nature of the data.
Good communication before – both internally and externally – and during the project is essential. The aims of the exercise must be explained prior to the launch with lead time to allow the supply chain partners to understand what is expected of them and to field any concerns they may have.
Perhaps the most useful lessons from this example of a supply chain hardening project are that good communication and transparency are key requirements. In addition, the planning of an exercise like this should be structured in such a way as to allow for sufficient resources to be allocated to it, and unforeseen variables to be incorporated at short notice.
Our White Paper on this case study can be accessed here.