Our CEO, Nick Denning, looks at what Public Sector organisations could learn from private sector cyberattacks and hacks
Recent cyberattacks, on several high-profile players, identify third parties as the initial point of attack. Partners and suppliers become the back door entry point to the systems of the actual target organisations where real mayhem can be caused and the greatest cash extracted. It has become vital to work out how to monitor and audit third parties, what level of certification is required, and what to ask suppliers and partners to provide as evidence in contract negotiations, on an ongoing basis and to support the purchase of cyber insurance.
UK Government departments need to adhere to a range of security standards and accreditations to protect sensitive information and implement robust cyber security. These include ISO 27001 for information security management and, as detailed on gov.uk, MCSS, Minimum Cyber Security Standard. However, there are many more actions organisations can take to improve safety when working with partners and suppliers.
Third party entrance points – the weakest link?
Organisations are connected like never before, and supply chains can be large and complex, integrating the products and services of many different suppliers. The recent high profile cyberattacks on private sector companies has demonstrated that attackers have the ability to exploit security vulnerabilities in the weakest link in supply chains. Third parties are those that share systems and data with the main target, which means the ‘attack surface’ now extends far beyond a single department or organisation’s boundaries.
What questions should you ask?
Here are initial questions to ask any organisation in your supply chain which needs access to log into, connect with, or share data with your own internal systems:
- What certifications and skills are in place?
- Is the organisation Cyber Essentials and/or Cyber Essentials Plus certified?
- What about Government Security Classifications?
- How often are penetration tests carried out and when was the last one?
- What systems are in place to defend against cyberattack?
Cyber Essentials
The importance of checking third parties’ cyber security preparedness cannot be overstated. The government-endorsed Cyber Essentials (CE) scheme was designed to help protect UK organisations from the most common cyber threats and establish a sound cyber defence posture. Ensuring all elements in the supply chain meet the CE standard is a minimum which will help make the whole network more robust.
Cyber Essentials Plus (CE+) is achieved by advancing to the next level, by moving away from self-certification and engaging an external accessor. This means additional requirements and security and should be combined with awareness of IASME assurance and the ISO 27001 standard.
How do you check and monitor third party responses?
Is it not always easy to be certain with whom you are actually working and dependent upon. Do your suppliers have their own partners, sub-contractors and embedded third party elements? They might say they have certifications but what are the best checks? How do you select best practice from those even with CE+?
Be sure to check against the database of CE Certificates to find out if an organisation actually has the certification it claims and when this expires. Those suppliers and partners in the best position will have monitoring in all shapes and forms to spot when an attack is happening, so they can respond. There will be systems in place to identify changes in their own and the department’s risk profile. The best third parties will be practicing incident management and will be taking incremental backups to help recover from ransomware attacks.
What are the questions to ask third parties?
Asking the following questions of all suppliers, or third parties of any description, will help to reassure that they will protect your systems and data to at least a minimum acceptable level.
- Are regular cyber security reports available? It is reasonable to expect a definition of their information and security policy and evidence that they have met their own obligations.
- Is there a risk-aware approach which means monitoring their environment as risk changes?
- Can they demonstrate that the organisation is monitoring near misses and enhancing awareness and training as a result?
- If an incident occurs what plans are in place to recover from it?
Keeping safe
Government departments have a legal responsibility to manage their own information securely and do not have immunity against data breaches although some exemptions to data protection laws exist under the UK GDPR and Data Protection Act 2018, notably for national security or crime and taxation.
To maintain a safe cyber security profile, it is possible to remotely manage the status of devices, and to prove that up-to-date patching is happening. It is also important to install software for configuration control to ensure what products are installed and that no unexpected software is present.
Vulnerability scanning
All systems contain vulnerabilities. Bad actors are skilled at exploiting such vulnerabilities. This makes vulnerability management a critical ongoing exercise. There are tools available to help this process. Software products can be checked against various international databases of vulnerabilities on a daily basis.
The NCSC’s Cyber Essentials Readiness Tool is a good starting point when evaluating an organisation’s vulnerabilities. Assessments must cover the whole of the IT infrastructure used to perform the business of an organisation. All the devices and software should be included which meet the following conditions:
- Can accept incoming network connections from untrusted Internet-connected hosts
- Can establish user-initiated outbound connections to devices via the Internet
- Control the flow of data between any of the above devices and the Internet.
A register of physical IT assets should be created. You may already have one of these for asset management purposes but it is important to extend it and also add intangible assets like databases and software, plus employee equipment used in a home-working or in a BYOD context, and also IoT devices. This complete asset register will help assess any vulnerabilities.
Training and awareness
People continue to be the weakest link in cyber security defences. The NCSC warned that criminals launching cyberattacks at British retailers were impersonating IT help desks to break into organisations. Marks & Spencer boss Stuart Machin confirmed the hackers got in through ‘social engineering’ when they tricked an employee into giving out passwords or login access. It was also revealed that this was done through a third party that had access to M&S systems. Maintaining a high level of regular training and awareness is essential to help people stop and think before giving out sensitive information.
In conclusion
To best protect your organisation from cyberattacks it is imperative that you must also look across your whole supply chain. As a start, ensure your organisation implements strong business processes consistent with your department’s obligations, which may include Cyber Essentials, but also might meet ISO 27001 or higher. By demonstrating your commitment, you can reasonably demand third parties who access your systems to similarly invest in Cyber Essentials or Cyber Essentials Plus based on the risks posed.
Be certain that you know each partner and their own level of cyber security. Confirm all third parties remember that security is not a one-off exercise. Where the risk warrants it, demand regular evidence of an organisation’s compliance with its own information security policies and that certifications are kept up to date.
Finally, as the human elements in the supply chain are often the weakest links, keep your ‘human firewall’ safe, aware and trained.
NB: This blog is based on an article by Nick Denning CEO of Diegesis which was published by Open Access Government (OAG) Cyber lessons to be learnt from recent high-profile cyberattacks and hacks