Understanding and Managing Supply Chain Cyber Risk

Emerging Risks Global
Oct 29
15 min read

Security Risk Management Approach

The Risk Management Standard produced by the Institute of Risk Management (2002) states that risk can be “defined as the combination of the probability of an event and its consequences”. In a similar description, risk has been described in BS ISO 31000: 2018, 3.1 as the “effect of uncertainty on objectives”, with Sutton (2014) emphasising its importance in considering the confidentiality, integrity and availability of business information and information management infrastructure. The importance of risk management is further reflected by the suite of standards which have been developed to guide practitioners how best to produce risk management strategies, policies and procedures, to support organisations to effectively identify and mitigate risks. With cyber risk identified as being high likely and impactful for organisations (World Economic Forum, 2016), standards and guidance documents have been produced to support organisations to identify and mitigate cyber risks.

Cyber risk is viewed to be the result of the interaction between people, technology and process (Perwej et al., 2021). Although it should be recognised that the research is dated, Reason (1995) in particular identifies the importance of human factors, when considering risk. This is supported by more recent research which has stressed the important role of human behaviour in cyber risk and security (Henshel et al., 2015; Young et al., 2018). Recognising the importance of all areas, this report will consider risk holistically, considering people, technical controls and processes, using ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection - Guidance on managing information security risks, as a guide. This standard was designed in response to the requirement outlined in ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection - Information security management systems – Requirements, to identify, analyse and evaluate weaknesses in information security processes.

ISO 27005 helps organisations to address information security risks through providing guidance on information security risk processes and cycles, and has been adopted as an exemplar of cyber risk management by the National Cyber Security Centre (NCSC, n. d. a). Component driven risk assessments such as ISO 27005 have been described by the NCSC as a mature approach for assessing cyber risk (NCSC, n. d. b). This bottom-up approach describes the risks to a systems components, which includes hardware, software, personally identifiable information (PII), business critical information and people. This approach considers the likelihood that individual components will be compromised by threats, as well as the resulting impact. Through adopting this approach, an organisation can prioritise risks and the required mitigations, according to the business impact that a successful attack or compromise could result in. Another approach, which organisations may wish to consider in the future, is a system driven risk assessment process. This focuses upon whole systems, rather than individual components (NCSC, n. d. c). This top-down approach may also be viewed to be holistic, in considering the relationship between systems, people, processes and the technologies that they use. Such an approach considers the high-level purpose which a system exists for, but crucially also considers the potential 'losses' which could occur during the course of operations (NCSC, n. d. c). Considering this area early in a project or activity can support organisations to be Secure by Design (Argyropoulos, Mouratidis & Fish, 2020).

The successful adoption of such a proactive method for managing risk and an organisation’s ability to implement controls will be influenced by its culture. Zainudin, Samad and Altounjy (2019) suggest that a shared set of values, resulting in a risk aware culture can encourage this. In such an environment, members of a workforce develop knowledge about the risks they face. While a risk averse culture may be viewed by some to hinder innovation, Secure by Design practices and effective risk management can reduce the risk of the long-term costs associated with retrofit security. Effective risk education can encourage the development of both an appropriate culture and risk management system (Zainudin, Samad & Altounjy, 2019). For the purpose of this report, which focuses on Supply Chain Risks, a component-based approach will be adopted, which would start by identifying and defining the tangible and intangible assets being assessed. This can include dependencies which an organisation may not have any control over, such as components within Third-Party infrastructure and systems. In accordance with ISO 27005 (2022) and 31000: Risk Management (2018), this approach to risk assessments quantifies risk, through the analysis of the risk elements of threat likelihood and impact.

The likelihood of being attacked by human threat actors can be assessed through an analysis of a threat actors’ capability, intent, motivation, opportunity and belief that they will get away with an action (NCSC, n. d. d). The NCSC (n. d. d) has identified the difficulty in accurately calculating these factors, given their transient nature. To counter this limitation, it is important that organisations regularly updates its threat assessments through gathering reliable information from the national authorities, the National Cyber Security Centre and the National Protective Security Authority. This information can be used to support a vulnerability assessment, which identifies vulnerabilities in components that a threat actor may exploit to impact upon the confidentiality, integrity, and availability of information.

The adoption of ISO 27005 is supported by Pan and Tomlinson (2016). Although dated in 2016 and therefore focused on an early version of the standard (2011), the author’s praise ISO 27005 for providing readers with clear definitions for the different stages of a risk assessment process. While this may improve the ability of practitioners to adopt the process, the authors identify a potential weakness in the standard, suggesting that the 2011 standard paper fails to provide readers with detailed guidance on how best to collect and manage information, which is an integral part of information security risk management. This limitation may be overcome by following the NCSC’s (n. d. e) suggestion to use tools and processes including attack trees, threat modelling exercises, and scenario planning, to help to identify threats, vulnerabilities and impacts. Supporting the chosen component driven risk assessments, adopted for the present report, the NCSC includes the ISO 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks (2022) in the list of approaches it suggests organisations can adopt, to perform cyber risk assessments (NCSC, n. d. b). Aligned with the national authorities’ advice, the approach can be selected, although organisations should consider the NCSC’s observation that the standard may require for the organisation to employ individual’s specialist training, needed to effectively implement the requirements identified in a report (NCSC, n. d. b).

An alternative approach to managing information risk has been developed by the National Institute for Standards and Technology (NIST). NIST 800-39, Managing Information Security Risk, provides “guidance for an integrated, organisation-wide program for managing information security risk to organisational operations” (NIST, 2011, p. 3). Alongside this, 800-30 (2012) provides detailed guidance on conducting risk assessments of federal information systems and organisations. Complementing the adoption of ISO 27005, research has suggested that when used alongside the standard, NIST SP 800-30 can be used to improve the level of detail included in a risk assessment, with the semi-quantitative nature of NIST SP 800-30, supporting the qualitative nature of ISO 27005. In addition to following the guidelines provided by ISO 27005, this report also incorporates the guidance provided by NIST, through performing the risk assessment in accordance with the recommendations of Al Fikri et al. (2019). The assessment followed the order outlined in Figure 1. (Appendix A.).

Cyber Risk Landscape

Following the global outages to Microsoft devices which resulted from CrowdStrike’s failed patch in July 2024, concerns have been raised about the possibility of organisations falling victim to a similar incident. Aligned to the report focus upon Supply Chain Risks, it would be appropriate to consider the CrowdStrike incident, which took place on the 18^th of July, 2024, when a software update released by CrowdStrike to its Falcon Sensor security software resulted in widespread disruption to computers running Microsoft Windows operating systems (CrowdStrike, 2024).

Microsoft reported that approximately 8.5 million systems were unable to restart, as a result of the update. A root cause analysis of the incident completed by CrowdStrike states that review findings from two independent Third-Party software security vendors would be considered, but the initial findings suggest that the system crash was caused when a Rapid Response Content update delivered 21 input fields, rather than the expected 20 (CrowdStrike, 2024). The organisation suggests that this out-of-bounds memory read issue and the lack of a test to determine non-wildcard matching criteria in the 21st field, caused systems to crash. Parametrix estimates that the direct losses resulting from the crash are expected to reach $5.4B for Fortune 500 companies (Parametrix, 2024). Recognising the global impacts experienced by organisations who engaged with CrowdStrike as a Third-Party supplier, this report has been produced to assess the cyber risks posed to organisations including its reliance upon a wide chain of Third-Party digital suppliers. Recognising that this risk has not been considered previously, adopting ISO 27005: 2022 and NIST 800-30, this paper will critically assess the level of risk faced by organisations and provide recommendations on how to mitigate these. In the absence of the results of a self-assessment or an external audit of the systems and components present within Third-Party suppliers, a high-level assessment will be presented at this stage

Cyber Risk Assessment Summary

Having recognised the importance of risk management for the successful delivery of services by organisations, it is imperative that organisations effectively identify and manage its cyber risks, so as to protect the organisations information assets and reputation. Two key cyber risks have been identified. As outlined in Appendix B, the risk of ineffective information security management systems being present within an organisations’ Third-Party supplier network was assessed as being HIGH. This is a result of a HIGH likelihood that Third-Parties and organisation’s will experience a cyber-attack (Department for Science, Innovation & Technology, 2024) and the HIGH Impact resulting from the disclosure of information, the unauthorised modification of information, the unauthorised destruction of information, or the loss of information or information system availability (National Institute of Standards and Technology, 2010).

Although cognisant of the view of Lee (2021) that improving an ISMS might not be enough to protect organisations from the rapidly evolving threat landscape, which may span cloud environments, it is recommended that as a minimum, Third-Parties adopt the controls outlined in Cyber Essentials: Requirements for IT infrastructure v3.1 (National Cyber Security Centre, 2023). The second identified risk of inadvertent errors by the employees of Third-Party suppliers (Appendix C.) was also assessed to be HIGH. This assessment is the result of a HIGH likelihood of attacks targeting people (Greitzer et al., 2014), which could result in a HIGH impact. Alongside the Cyber Essentials controls (National Cyber Security Centre, 2023), it is recommended that Third-Party suppliers follow the NCSC guidance (2022), ‘Reducing data exfiltration by malicious insiders, as well adopt data loss prevention, always on vetting protocols, zero-trust policies, phishing tests, user-behaviour analytics and decoy tools.

Report Summary

Cyber risks, both within organisations information system and that of its supply chain, may result in serious impacts upon the organisations reputation, consumer confidence and threaten the continuity of the business (Brockett, Golden & Wolden, 2012). This report has identified two key risks and suggested risk treatment recommendations. The effective mitigation of these risks is potentially required for organisations to meet the expectation of existing and approaching legislation, as illustrated in Figure 2 (Appendix D). Following the global outages to Microsoft devices which resulted from CrowdStrike’s failed patch in July 2024, concerns have been raised about the possibility of organisations falling victim to a similar incident.

Appendix A.

Figure 1.

Integrated Methodology

(Putra & Soewito, 2023)

Appendix B.

Ineffective Information Security Management Systems within Third-Party Supplier Network

Context	Principle 1 of the National Cyber Security Centre’s Cyber Assessment Framework, A1 Governance, identifies the importance of designing and implementing an effective information security system (National Cyber Security Centre, n. d. f). An effective Information Security Management System (ISMS) can help to ensure that cyber security risks are identified and managed. Organisations should be comfortable with the risks that the systems, processes and management in place within Third-Party suppliers, poses to its own operations.
Purpose for Assessment: Determine Purpose; Scope; Asset; Information Source; Risk Model; Analysis.	Aligned with the guidance provided by the National Cyber Security Centre (n. d. g ), the security risks attached to a Third-Party suppliers Information Security Management System (ISMS), will help to identify, assess and understand security risks which could impact organisations. This includes a Third-Parties approach to risk management. An assessment of a Third-Party suppliers ISMS will aim to be ‘Achieved’, as per Principle A4 Supply Chain, of the Cyber Assessment Framework (National Cyber Security Centre, n. d. g). As per Principle A4 Supply Chain, organisations should aim to develop a deep understanding of its supply chain. Organisations should consider supplier’s: partnerships; competitors; nationality and other organisations with which they sub-contract. Organisations should assess how information shared with suppliers is appropriately protected from sophisticated attacks.  Organisations should assess contracts to determine the presence of security obligations. An understanding of all data assets and network connections shared with Third-Party suppliers will be managed proportionately. All network connections and data sharing with third parties are managed effectively and proportionately.  Third-Party self-audits and external reviews. Findings of ISO 27001 assessments. ISO 27005 will be used alongside the standard, NIST SP 800-30. Below
Threats Likelihood	The likelihood of a Third-Party Supplier being attacked is HIGH. The UK Cyber Security Breaches Survey, published in April 2024, states that “half of businesses (50%) and around a third of charities (32%) report having experienced some form of cyber security breach or attack in the last 12 months. This is much higher for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%)”. (Department for Science, Innovation & Technology, 2024).
Existing Controls	In accordance with the Cyber Essentials: Requirements for IT infrastructure v3.1 (National Cyber Security Centre, 2023), the following existing controls will be assessed: 1. Firewalls 2. Secure configuration 3. Security update management 4. User access control 5. Malware protection
Identify Vulnerabilities	The CrowdStrike incident highlighted the importance of identifying and mitigating vulnerabilities (Naseer, 2024). Ineffective security update management may leave organisations at risk of attacks targeting software vulnerabilities and our existing dependency upon Third-Party suppliers may introduce peripheral risks into our operations, should they suffer from an attack or service failure. The National Cyber Security Centre (n. d. ) proposes two ways of identifying vulnerabilities: vulnerability scanning and penetration testing. Third-Party suppliers may potentially have HIGH vulnerabilities.
Magnitude of Impact	The magnitude of harm that can be expected to result from the consequences of unauthorised disclosure of information, unauthorised modification of information, unauthorised destruction of information, or the loss of information or information system availability, Third-Party suppliers could potentially be HIGH. (National Institute of Standards and Technology, 2010). The Cyber Security Breaches Survey (Department for Science, Innovation & Technology, 2024), reports the average costs of disruptive attacks on organisations, to be approximately £1,205. This was estimated to be £10,830 for medium and large businesses and £460 for charities. Alongside this financial impact, Agrafiotis et al. (2018) identify the harm that a successful cyber-attack can have on both the reputation of an organisation and on people.
Risk	In accordance with ISO 27005: Information security, cybersecurity and privacy protection – Guidance on managing information security risks (2024), risk is the sum of likelihood and impact. Although the standard provides organisations with the freedom to adopt a risk matrix of their choice, a HIGH likelihood and HIGH impact score will result in a HIGH risk score.
Risk Treatment Recommendations	In accordance with the Cyber Essentials: Requirements for IT infrastructure v3.1 (National Cyber Security Centre, 2023), effective and proportionate controls will be recommended to cover the following minimum areas: 1. Firewalls 2. Secure configuration 3. Security update management 4. User access control 5. Malware protection
Implementation Challenges	While installing firewall and other cyber security tools offers some basic security benefits, Lee (2021) suggests that it might not be enough to protect organisations from the rapidly evolving threat landscape. The use of public cloud environments situated beyond organisational boundaries, can challenge the implementation of security tools. The security and access to applications and data managed in the cloud may not be controlled by an organisation and as demonstrated in the Capital One data breach, when a former Amazon cloud service employee gained access to more than 100 million Capital One customers’ accounts and credit card applications early in 2019 (Bloomberg.com, 2019). In addition, rapidly developing Artificial Intelligence and Quantum technologies will require for organisations to assess how their introduction effects the risk landscape, identify appropriate mitigations and the return on investment of the implementation of them (Faruk et al., 2022; Zeng, 2022).

Appendix C.

Inadvertent Errors by the Employees of Third-Party Suppliers.

Context	Third-Party suppliers may be exposed to insider threats, in the form of malicious actors, infiltrators, exploited individuals and those that they are responsible for causing inadvertent harm (National Protective Security Authority, 2023).
Purpose for Assessment: Determine Purpose; Scope; Asset; Information Source; Risk Model; Analysis.	To determine the likelihood of harm or loss to a Third-Party Supplier and its subsequent impact, because of the action or inaction of an insider (National Protective Security Authority, 2023). A role-risk based approach to managing insider threats requires for Third-Party suppliers to identify assets and to determine their criticality. Privileged access can then be determined in order to design systems which ensure that only authorised users are able to access powerful privileged accounts and sensitive assets. A risk-based approach to determining the criticality of assets, systems and infrastructure will support the design of proportionate security systems. Different business areas will need to perform a Business Impact Analysis to determine its critical assets and a Third-Party supplier will be required to identify all personnel who possess access to assets. Third-Party self-audits and external reviews. Findings of ISO 27001 assessments. ISO 27005 will be used alongside the standard, NIST SP 800-30. Below
Threats Likelihood	System users with authorised access to the organisation’s network may unintentionally cause harm to the confidentiality, integrity, or availability of information (Hadlington, 2018). Research by Greitzer et al. (2014) has indicated that a number of factors may increase the likelihood of this threat being realised, including; lack of attention (preoccupation, distraction); narrowed attention caused by high cognitive load; workplace stressors or a lack of knowledge.
Existing Controls	Existing controls will be identified in the audits and risk assessments. Controls for inadvertent Errors by the employees of Third-Party Suppliers. In accordance with the Cyber Essentials: Requirements for IT infrastructure v3.1 (National Cyber Security Centre, 2023), the following existing controls will be assessed: 1. Firewalls 2. Secure configuration 3. Security update management 4. User access control 5. Malware protection Existing controls will be identified in the audits and risk assessments. Controls for inadvertent Errors by the employees of Third-Party Suppliers. Further controls may include: 1. Data Loss Prevention 2. Vetting 3. Security education 4. Phishing tests 5. User-Behaviour Analytics 6. Decoy tools
Identify Vulnerabilities	Greitzer et al. (2014) reports that social engineering and phishing attacks which target people continue to be successful, despite education programmes and security controls. This suggests that the authorised accesses granted to individuals will continue to be at targeted by hostile actors, due to the human vulnerabilities resulting from a myriad of human factors, previously identified.
Magnitude of Impact	The magnitude of harm that can be expected to result from the consequences of unauthorised disclosure of information, unauthorised modification of information, unauthorised destruction of information, or the loss of information or information system availability, Third-Party suppliers could potentially be HIGH. (National Institute of Standards and Technology, 2010). The Cyber Security Breaches Survey (Department for Science, Innovation & Technology, 2024), reports the average costs of disruptive attacks on organisations, to be approximately £1,205. This was estimated to be £10,830 for medium and large businesses and £460 for charities. Alongside this financial impact, Agrafiotis et al. (2018) identify the harm that a successful cyber-attack can have on both the reputation of an organisation and on people.
Risk	In accordance with ISO 27005: Information security, cybersecurity and privacy protection – Guidance on managing information security risks (2024), risk is the sum of likelihood and impact. Although the standard provides organisations with the freedom to adopt a risk matrix of their choice, a HIGH likelihood and HIGH impact score will result in a HIGH risk score.
Risk Treatment Recommendations	In accordance with the Cyber Essentials: Requirements for IT infrastructure v3.1 (National Cyber Security Centre, 2023), effective and proportionate controls will be recommended to cover the following minimum areas: 1. Firewalls 2. Secure configuration 3. Security update management 4. User access control 5. Malware protection While the above is a minimum requirement that organisations should expect from Third-Party suppliers, other related controls may include; Data Loss Prevention, Always on Vetting protocols, Zero-Trust Policies, Phishing tests, User-Behaviour Analytics and Decoy tools. In addition, it is advised that Third-Party Suppliers follow guidance provided by the National Cyber Security Centre (2022). In guidance titled ‘Reducing data exfiltration by malicious insiders’, readers are advised to: prevent data exfiltration enable monitoring carry out post-event audit Alongside the Insider Risk Management Framework, developed by the National Protective Security Authority (2023), the document suggests that organisations limit access to privileged data and mitigate exfiltration. Organisations should implement monitoring that can warn users of high-risk behaviours, enable organisations to quarantine actions and to identify trends which may require investigation. Auditing is also critical to the management of this risk, as audits provide opportunities to review and analyse post-event activity relating to users, data, and assets. Such information can support organisations to review, design or improve security systems. Furthermore, developing a Security Culture Programme can: · minimise exposure to, and accumulation of, risk from inadvertent ‘everyday’ incidents · increase awareness of threats and how behaviours can affect vulnerability to them, allowing people to adapt to changes in threats · improve workforce engagement and morale, reducing the risk of disenchanted staff becoming malign insiders · makes it harder for malign insiders to act, and increases opportunities for early identification and resolution of potential problems · encourages increased vigilance and awareness – willingness to challenge and report concerns reduces the risk of hostile reconnaissance occurring at sites · has demonstrable positive effects on staff performance, morale, retention, and wider organisational efficiency (Government Security, n. d. )
Implementation Challenges	Greitzer (2014) contends that organisations are still at risk of social engineering attacks, despite security controls and training programmes to mitigate them. Alongside recognising budgetary restraints, these findings may justify the need for organisations to calculate the potential return on investment of different security controls and training programmes. A cost: benefit analysis of the different mitigation options will enable organisations, including Third-Party suppliers to make risk-based decisions, about what security investments to prioritise (Lee, 2021). For example, some controls such as enhanced pre-employment background checks are intrusive and may be viewed negatively by a workforce. In order avoid having a negative impact upon a workforce, an organisation may choose to avoid such controls. Organisations will need to make their own risk-based decision about whether to engage with Third-Party suppliers, who adopt security measures outside of its own risk appetite.

Appendix D.

Figure 2.

UK Cyber Security Legislation.

Understanding and Managing Supply Chain Cyber Risk

Recent Posts

HAVE ANY QUESTIONS ?

Can our experts help you?

Get in touch with us and we will assist you further.

EMERGING RISKS GLOBAL ®

Emerging Risks Global ® (ERG) is a trading name of Woodlands International Ltd ©

Contact

information@emergingrisksglobal.com