United Kingdom

Cyber risk and the supply chain

Aon is delighted to have supported the British Retail Consortium’s recent conference on ‘Charting the Future’. Held in London on the 25th September 2018, this event brought together delegates and key specialists from across the retail sector to discuss crime and security trends, and how retailers can best prepare and respond.

Setting the scene on the impact of cyber risk on the supply chain and the potential threats, Aon’s Christopher Scott told delegates at the British Retail Consortium’s (BRC) ‘Charting the Future’ conference, that the average cost of a data breach has gone up from US$3.6m to $3.9m1. From a threat perspective, 2018 has also seen far more incidents, with over half resulting in an actual data breach while more than half of retailers (53%2) have reported cyber related fraud. Looking ahead, researchers Gartner estimates that by 2020 there will be 20.8bn connected devices with the average company connecting to more than 1500 partners. “What that means is the attack surface is growing exponentially, while the number of networks and partnered companies that each business is working with is also increasing. This serves to make organisations’ perimeters more porous and more vulnerable to cyber attacks,” said Scott.

Industry 4.0

The competitive environment in ‘Industry 4.0’ has driven an increased reliance on digital technology – more automation and developments in connectivity for example – that in turn has created more complex, more impactful, exposures to cyber events added Scott. With threats ranging from disruption risk impacting production and distribution, and confidentiality risk to personally identifiable information (PII) in terms of the General Data Protection Regulation (GDPR), what does this mean when it comes to the supply chain? “Different parts of a supply chain can be hit at different stages,” said Scott. “There is the physical production side and primarily worries about physical tampering, theft, or something that prevents the product from being made or delivered. Then there is infrastructure. Does your business have suppliers in place providing you with critical technology services? What’s the impact of them being disrupted by a cyber event?”

One company that experienced the damaging knock-on effects of a supply chain breach was US retailer Target Corporation. In 2013, the credit and debit card details of 70 million customers were compromised after hackers had gained access to Target’s network via the stolen credentials of an employee of Fazio Mechanical Services, the HVAC provider for Target. “It’s not Fazio Mechanical Services who have had the reputational damage, it’s Target,” said Scott. “It’s also interesting that the loss was preventable given the malware was identified on two separate occasions by Targets security teams, both times these warnings were not acted on.”

Don’t be a victim

Despite such high-profile incidents, there are many things every business can do to make sure it’s not a victim of cyber crime. “The first is to develop cyber defences on the assumption that your business will be breached. Once you get into that mentality, you then go beyond pure prevention into management and mitigation,” said Scott. “The second thing to remember is that cyber security is not just a technology problem. The vast majority of attacks result from a person making an error such as clicking on a suspicious link. It’s about making sure that you raise awareness of the issue to your wider team.” Finally, it is important that physical and cyber security are connected. “Hackers might not just attack you from a computer but might use lax physical security to gain access to a network,” said Scott. It’s also key that businesses try to understand who might be trying to attack them – such as hacktivist, criminal, or insider – and the kind of methodology they might be employing and what their ultimate aim is. “That’s important because it changes the way in which you set yourself up to prevent an attack from occurring and also how you respond,” said Scott.

A problem is vendors are becoming increasingly interconnected added Scott. “There is less visibility over who has what data. Who is the data owner? Who is the data processor? Not understanding where your data lies in the supply chain can be a big problem, not least because 56% suffer a vendor data breach and it tends to be your reputation on the line.”

Building a cyber resilient organisation

In terms of preparing a business to be a resilient organisation, Scott said: “We have to start transforming our approach to risk management and taking an enterprise wide view. I see the risk manager as playing an important part in drawing together different elements of the business to create that enterprise wide approach.” Areas to focus on include forming a security privacy committee and conducting enterprise wide security assessments – so not just looking at it from a pure technical perspective but understanding the impact of a cyber event on the business in the round. “Once you understand what can go wrong and how bad it can be, you can put in place the appropriate plans and importantly, practise for future cyber events by running desktop simulations.” From a supply chain perspective, said Scott, it is important to evaluate supplier contracts and limits of liability based on the exposure they introduce to you as an organisation. “Who are the key suppliers that could cause the greatest amount of danger in terms of the data you supply to them and what is your reliance on them from a business interruption perspective? Reflect that risk in your terms of business with them whether that’s in limits of liability, additional assurance around their cyber security posture and even rights of audit on their cyber security.”

Quantify the risk

Scott also emphasised the importance of a data driven approach to cyber risk management. “You have to start by assessing and understanding what cyber means to you as an organisation. You can then develop scenarios with clear parameters that you can quantify in financial terms. Quantification is an important step because it allows you to make informed decisions about how you manage that exposure. You can determine where you allocate your finite cyber risk management budget based on Value at Risk (VaR) and impact on your balance sheet. This will help you optimise the blend between technical control improvement, crisis management, business continuity planning, supplier contracting and risk transfer.

For more information contact Chris Scott.

1 2018 Ponemon Cost of Data Breach Study: Global Analysis

2 British Retail Consortium