In another awareness-raising incident, in the United States in December 2013 it was reported that Target had information of 70 million people stolen including credit card details, names, addresses, phone numbers and email addresses. Target reported a loss of $162 million in expenses across 2013 and 2014 related to this data breach.
It was later alleged that a Target heating and air conditioning contractor’s (HVAC) system had been hacked and the contractor’s password provided a conduit to Target’s secure systems that were used to process customer payments. A seemingly impossible scenario and a risk that, in all probability, would not appear on a risk register or risk heat map for many organisations.
With contractors and suppliers having access to clients’ systems, the number of cybersecurity incidents involving suppliers has increased. In many cases organisations have implemented controls and undertaken assessments on their suppliers, but for most organisations the risk a supplier poses is generally expressed in contractual terms relating to the ability to provide goods or services, rather than any direct interaction with core systems.
If the risk is examined at all, suppliers will often only be assessed and report on their cyber security risk when it comes to their own experienced incidents and breaches, and may not consider the controls they have in place to manage their own information security and the management of their sub-contractors in relation to cyber security.
In order to better manage supplier cyber security risk, organisations should consider the following:
- Inclusion of cyber security risks, including contractor and supplier cyber security risks, within the enterprise risk enterprise risk analysis process
- Ensure a planned and coordinated approach to assessing and inducting suppliers
- Develop and implement a proactive supplier assessment and monitoring program based on the risk to the organisation
- Ensure suppliers are aware of and report cyber security incidents to the organisation promptly
- Develop training and awareness programs to raise employee awareness of cybersecurity risks to help prevent, detect, and manage the risks
- Develop contingency plans and response strategies for cyber security risks
- Include reports from senior management to the board on the organisation’s cyber security risk profile, including supplier risks as well as the resultant systems to manage those risks.
Please contact QRMC for more information or to assist with the review of enterprise risk registers and contractor management.