Securing the supply chain
Why cyber security policies for the supply chain shouldn’t ask for ‘high’ security…
In the majority of large businesses in the UK cyber security has reached board of directors’ top two business risks, while in the US cyber security is typically considered the #1 risk. SMEs don't tend to record risk as formally as their larger counterparts, but the implications of the new GDPR requirements have still made the issue more visible.
In big organisations, cyber security has often reached a level of maturity where the “low hanging fruit” have been addressed. Over years of incremental improvements, the cyber security function has developed to the point where vulnerabilities are expensive to address… with one exception. Securing suppliers and customers, who, due to evolutions in business practices to streamline interactions and increase IT use, now have the ability to make mistakes that cause a cyber security breach outside of their own businesses.
Recently, I’ve partnered with Alasdair Taylor of Docular to produce template cyber security policies that include both a technical understanding of cyber security risk and a the expertise to create legal contracts. The document that required the most collaboration? Our supply chain cyber security policy.
Our policy includes guidance to help its users choose the approach that works for them. This article discusses why there’s one approach we chose not to offer as an option to document purchasers. Taking a combination of questions that I hear during my consultancy and research, with questions Alasdair and I debated, I discuss some of the potential pitfalls of adding cyber security requirements to B2B interactions.
What approaches does the policy include?
When I discuss the ‘approach’ an organisation takes towards B2B cyber security, I’m talking about the high-level strategy an organisation has when they develop their B2B policy, namely:
A. Have you identified a specific risk, which you require your supply chain to adequately reduce?
Or
B. Do you have a more general concern about cyber security, meaning that you require your supply chain to implement a minimum benchmark for security?
In the case of ‘adequate’ security, the most likely scenario is one of a Data Controller applying specific cyber security requirements to an asset when a supplier becomes a Data Processor:
The security risk is clearly linked to a dataset;
The dataset has an associated Privacy Impact Assessment; and
It doesn’t matter which organisation looks after the asset, there is the same ‘reasonable’ obligation to protect it.
In the case of a ‘minimum benchmark’ level of security, the policy writer doesn’t have a specific risk to tie their concerns to – they are just aware that, for their own security, they have to motivate improvements in their ecosystem’s security. This might be by describing a cyber security benchmark bespoke to the organisation, or by requiring all suppliers to show compliance with a specific standard, or a combination of the two.
But… if you have ‘minimum’ and ‘adequate’ why isn’t there an option for ‘high’ security?
Because cyber security is about getting people to make good decisions and telling suppliers “we require much better than average security” demotivates in three ways:
1. Cyber security is a risk-based process
Anyone asking for cyber security investment that is out of proportion with the identified risk, is telling their supplier that they expect them to achieve something the policy writer’s own business can’t justify.
Proportionate means that security investment, measures and processes should be adequate for the protection of an asset. Measures should, as a minimum, provide their customers with the confidence that their cyber security risk has been recognised and reduced to within their supplier's risk appetite. ‘High’ security, disproportionate to risk, isn’t good cyber security practice.
2. The measure of ‘proportionate’ investment varies between organisations
Why don’t we want to hold everyone, even our pencil suppliers, to the same high standard?
Supply chain cyber security risk isn’t the same as the average project risk. In projects the risk (to completion) is transferred to a subcontractor and processes like disaster recovery reduce the security risks. In supply chain cyber security, we are discussing a shared (rather than transferred) risk, one that is often not described in the contract.
Imagine the scenario where a large supermarket tells all their suppliers that they must implement ‘high’ security as part of their next contract. If a small business, for example a repair company contracted for $30K, asks what level of risk they are being asked to provide ‘high’ security for, an honest reply might be $300M.
Where might this risk come from?
The customer’s insistence that they be invoiced through their in-house finance portal. The security requirement is that none of the supplier's employees make the mistake of letting a hacker obtain their password. (If this example looks familiar, you might have read about the Target data breach at the time it happened).
The $300M reflects the complexity of the customer IT system. This scenario isn't about having no security without the supply chain, it's about big businesses having made so many tiny decisions about security and IT use that it's almost impossible for them to tell when one decision undermines another. And a hacker only needs one way in.
In security, small improvements, especially when they reduce the risk of human error, can have massive benefits. Telling a supplier with a contract that’s worth $30K that they’re now responsible for reducing $300M of risk (when the service of ‘holding customer cyber risk’ is unmentioned in their contract), hopefully explains why suppliers push back so hard on contractual cyber security requirements.
Asking for less might achieve more.
3. The bigger the customer the harsher the contract
Larger customers like to have an easy way to terminate contracts. Requiring ‘high’ security from a far smaller supplier would be an easy addition to the complex, inflexible and almost unachievable terms that give big businesses this guarantee.
Why is cyber security really not the place to introduce harsh terms?
Because if you’re writing a supply chain cyber security policy:
It’s to reduce your #1 or #2 business risk;
You have a genuine need for suppliers to work with you; and
The harshest requirements in the contract are the ones suppliers are most likely to accept the risk of ignoring – they anticipate the contract writer’s goal.
Businesses who have inadvertently made efficiency decisions that share the control of one of their biggest business risks with suppliers one thousandth of their size need to aim for collaboration not conquest. They need these requirements to be high in their suppliers’ priorities. If there’s a cyber breach and they want to leave a contract, there’ll be other ways to terminate it.
However you approach supply chain cyber security, unless all of your suppliers are the same size of business, what you are asking for will probably always feel like ‘high’ security to the contractor. Much smaller suppliers will struggle with implementing security that a large organisation can evaluate against their own processes. Much larger suppliers will consider their customer’s contracts too small to allow for flexibility in service. They may even consider them too small to warrant transparency and answer questions about security.
Describing requirements as ‘adequate’ or a ‘minimum benchmark’ is good practice, possibly even the introduction of mutual B2B cyber security policies, frames the negotiation in a way that allows both parties to recognise and begin reducing their shared risks.
When it comes to cyber security, publicised breaches have shown us that some businesses are "too big to fail". But small suppliers do fail after cyber breaches. They're already motivated, they just need requirements that fit their business.