The financial services sector is experiencing extreme disruption coupled with rapid innovation as established institutions strive to become more agile and meet evolving customer demand. At the same time, new market entrants compete fiercely for customers. Increasing operational flexibility, through the deployment of cloud infrastructure or via digital transformation initiatives, is critical for future competitiveness. However, it has also driven regulatory and security challenges, particularly around working with suppliers.
The benefits of a diverse, interconnected supply chain are compelling: agility, speed, and cost reduction all weigh on the positive side of the equation. It is prompting financial institutions to pursue close, collaborative relationships with suppliers, often numbering in the hundreds or thousands.
Weakness in the supply chain
On the negative side is the increased cyber threat when enterprises expose their networks to their supply chain. In our modern interconnected digital ecosystems, most financial organisations have many supply chain dependencies. It only takes one of these to have cybersecurity vulnerabilities to bring a business to its knees.
As a result, breaches originating in third parties are common and costly. A recent Ponemon Institute/IBM study found that breaches being caused by a third party was the top factor that amplified the cost of a breach. It adds an average of $370,000 to the breach cost.
Concern around the supply chain was also evidenced in a recent report we have just issued. We interviewed 250 CISOs and CIOs from financial institutions about the cybersecurity challenges they face. Nearly half (46%) said that cybersecurity weaknesses in the supply chain had the biggest potential to cause the most damage in the next 12 months.
But sharing information with suppliers is essential for the supply chain to function. Most financial services organisations go to great lengths to secure intellectual property, personally identifiable information (PII) and other sensitive data internally. Yet when this information is shared across the supply chain, does it get the same robust attention?
Further amplified by COVID-19
Financial service organisations have always been a key target for cyber attacks. Our research showed that since COVID-19 hit, the risk has elevated further. 45% of the respondents are seeing increased cybersecurity attacks during this period. Likewise, hackers are rejecting frontal assaults on well-defended walls in favour of infiltrating networks via vulnerabilities in suppliers.
But financial services organisations must maintain reputations and ensure customer trust. Firms are keen to demonstrate that they are protecting customer assets, providing an ultra-reliable service and working with trustworthy partners. So, what can they do to better protect their supplier ecosystem?
At the very least, they need to ensure basic controls are implemented around their suppliers’ IT infrastructure. For example, they must ensure that suppliers maintain a secure infrastructure with a minimum of Cyber Essentials or the equivalent US CIS certification controls. Cyber Essentials defines a set of controls. These, when implemented, provide organisations with basic protection from the most prevalent forms of threats. They focus on threats which require low levels of attacker skill, and which are widely available online.
Likewise, they need to ensure that good information management controls are in place. This begins with accurate information/data classification. After all, how can you apply appropriate controls to your information unless you know what it is and where it is?
How ISO27001 helps organisations put in place a data classification process
The international standard for information security is ISO27001. It describes the basic ingredients for data classification to ensure the data receives the appropriate level of protection in accordance with its importance to the organisation. It comprises three basic elements:
- Classification of data – Legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.
- Labelling of data – An appropriate set of procedures for information labelling should be developed and implemented following the organisation’s information classification scheme.
- Handling of assets – Procedures for handling assets developed and implemented according to the organisation’s information classification scheme.
Adopting this methodology will help financial services organisations and their supply chain take a more data-centric information security approach. However, there are essentially four key stages for implementing a data risk assurance supply chain approach, and these are:
In organisations with complex supply chains, senior management, vendor management, procurement, and information security will need to support a robust risk-based information management approach. Details of previous incidents and their impact alongside the business benefits will be essential to gain stakeholder buy-in.
Organisations should start with Tier 1 suppliers and initially identify the contracts with the highest business impact/risk. They should identify and record information repositories and the data they contain together with the responsible business owners. Define a business taxonomy based on information categories of that data. Include supply chain factors such as what information categories are shared.
For example, they need to understand the business impact of compromise against each of the information categories. Have any suppliers suffered security incidents? What assurance mechanisms are in place? Once all this information is collated, the organisation can create a data classification policy and define a set of controls for each data category.
Select each data category and identify the associated contracts. Prioritise the data category based on the risk assessment. Verify that the data security controls and arrangements for each data category and contract meet the overall requirements. Once complete, hand over the contract for inclusion in the vendor management cycle.
The overall objective is to embed information risk management into the procurement lifecycle from start to finish. Therefore, whenever a new contract is created there are a number of actions required. These embed data risk at each stage of the bid, tender, procurement, evaluation, implementation and termination phases of the contract.
To summarise, organisations should start by researching the information risk and security frameworks such as ISO27001 and others. They should then focus on defining their business taxonomy and data categories together with the business impact of compromise to help develop a data classification scheme. Finally, they should implement the data classification scheme and embed data risk management into the procurement lifecycle processes from start to finish.
By effectively embedding data risk management and categorisation into their procurement and vendor management processes, they are preventing their suppliers’ vulnerabilities becoming their own. They are more effectively securing data in the supply chain.
Boldon James is an industry specialist in data classification and secure messaging, delivering globally-recognised innovation, service excellence and technology solutions that work. Part of HelpSystems, we integrate with powerful data security and governance ecosystems to enable customers to effectively manage data, streamline operations and proactively respond to regulatory change. We have a 35 year heritage of delivering for the world’s leading commercial organisations, systems integrators, defence forces and governments.