What the Capita Breach Tells Us About Managing Supply Chain Risk
Table Of Contents:
When IT outsourcing giant Capita suffered a ransomware breach in March, it tried its best to control the media narrative. But supply chain incidents like this have a habit of running away from even the best-drilled PR teams. After a few weeks of drip-drip news from Capita, the firm’s worst nightmare came: a flood of breach notification reports from corporate clients. Across this and a second incident involving cloud misconfiguration, the victim count has now risen to at least 90.
There are plenty of takeaways for security and compliance teams. But they can be boiled down to one idea. You can have the best cyber risk mitigation programme in the world in place, but your organisation could still be critically exposed to incidents if it doesn’t cover the supply chain.
According to one estimate last year, 98% of global organisations suffered a supply chain breach in 2021. It’s time to extend visibility and control from inside to outside the enterprise.
What Happened to Capita?
Capita has been tight-lipped on the “incident” it says took place on March 22, revealing only to date that “some data was exfiltrated from less than 0.1% of its server estate”. In fact, reports suggest that the ransomware group BlackBasta was behind the breach, with victims’ personal and bank account details already being sold on the dark web. This has stark implications for the firm’s many corporate clients and, ultimately, their customers.
Capita has billions of pounds worth of contracts with government and private sector clients, including Royal Mail, Axa and USS, one of the UK’s largest pension funds. Regulator The Information Commissioner’s Office (ICO) has been inundated with breach notifications from these customers. At the same time, the Pensions Regulator (TPR) has reportedly written to over 300 funds to ask them to check whether they’ve also been impacted.
Capita isn’t the first and won’t be the last source of supply chain cyber risk. More recently still, big-name brands, including BA, Boots and the BBC, were caught out by a breach of personal and financial data affecting staff and potentially customers. The culprit? A bug in a file transfer tool called MOVEit, which their payroll provider, Zellis, used. It’s believed that thousands of firms, direct and indirect software users, may have been impacted.
Why Supply Chain Risk is Tough to Manage
As the impact of both breaches continues to make headlines across the globe, now is the time to better understand supply chain risk. Jamie Akhtar, CEO of CyberSmart, argues that the Capita incident is one of the best examples of the security risks supply chains pose.
“It serves as a warning to the UK business community. If you’re part of a supply chain, cyber-criminals will try to target you sooner or later— the opportunity to cause disruption or steal important data is too good to pass up,” he says. “So, we urge businesses of all sizes to think about their supply chain and the risks within it.”
Simon Newman, CEO of The Cyber Resilience Centre for London, adds that attackers increasingly target large and complex supply chains because in-house security efforts have improved.
“The ability to compromise the security of a supplier not only provides a potential back door into larger organisations, but as the third party is likely to provide products or services to other companies as well, it means that the scale and the scope of the attack is far greater,” he warns.
So why is supply chain risk so difficult to manage?
A supply chain attack can take many forms. It could be that corporate data is managed by a supplier that is subsequently breached (like Capita or Blackbaud). It could be that a supplier or partner with log-ins to your network gets compromised, giving hackers access to your organisation’s IT assets and data. This happened in the massive 2013 Target breach. Or it could even be that multiple downstream users of compromised software are infected after hackers implant malware or exploit bugs in it, as happened with MOVEit and Accellion.
As digital transformation continues apace, the cyber-attack surface of suppliers continues to grow. Their IT environments constantly change, requiring close and, ideally, continual scrutiny. But this isn’t happening. According to the National Cyber Security Centre (NCSC), some of the main challenges with supply chain risk management lie with getting the basics right, such as:
- Understanding the risks associated with poor supply chain security
- Investing more in risk mitigation
- Improving visibility into supply chains
- Getting the right tools and expertise to evaluate suppliers’ cybersecurity
- Understanding what questions to ask of suppliers
Unfortunately, current efforts are not sufficient. According to a government report, only around one in 10 (13%) businesses review the risks posed by suppliers. As mentioned above, barriers cited by the report include money, skills, prioritisation and getting the correct information from suppliers. But also important is knowing which suppliers to check and which checks to carry out. This is where international standards like ISO 27001 can help.
How ISO 27001 Can Help
According to IBM, 20% of data breach incidents stem from suppliers, at an average cost of $4.46m per breach, more than the average across all breach types ($4.35m). This alone should be enough to focus minds on the task of managing supply chain risk more effectively. But how? First up, consider the NCSC’s supply chain mapping (SCM) guidance, which will help you understand who your suppliers are, what they provide and how they provide it. That should enable more effective risk-based decision-making.
Evaluating and managing supplier security is also a critical component of an Information Security Management System (ISMS). ISO 27001 can tell you how to get there through steps such as:
- Establishing a formal policy for suppliers, which outlines your requirements for mitigating risk associated with third parties
- Agreeing and documenting these requirements with each supplier
- Checking suppliers have processes in place to meet appropriate levels of baseline security (including their own supply chains). This could be done via focused audits, questionaries or checks for accreditation with ISO 27001
- Maintaining a regularly updated list of approved suppliers
- Regularly assessing whether suppliers are meeting your security requirements.
- Ensuring any tech or process changes are promptly flagged and that you understand their impact on supplier risk.
As supply chains continue to grow in size and complexity, so does cyber risk. It’s time to take action.
Simplify Your Supply Chain Management Today
Find out how our ISMS solution enables a simple, secure and sustainable approach to supply chain management and information management with ISO 27001 and over 50 other frameworks.