To approach this question, I interviewed Peter (Pete) Maynard, CEO of CyberMetrix. Pete is a digital transformation pioneer with a 30-year career addressing emerging challenges within the cyber security industry.
CyberMetrix is a Risk Management Solutions company that enables confidence and security in today's modern ecosystem.
In answering the question, Pete summarised the problem as 'long tail suppliers' and told me a story:
"In 2013, U.S. retailer Target reported a massive network intrusion and data theft, resulting in over U.S. $260M indirect financial loss and a further U.S. $25M in fines. The entry point? Fazio Mechanical, a small refrigeration services company, with less than 50 employees."
To summarise the implication: the big end of town (i.e., Target) has good Cyber Security hygiene. But that level of access is unachievable for the average SME vendor, and the average supply chain is "90-95%" SMEs.
Your security is only as strong as the weakest link in your supply chain.
In a world of ever-increasing systems and API-first approaches, it is so easy for data to flow in and out of up and downstream systems unprotected.
So, how does Target ensure their vendors are compliant without creating an ecosystem out of reach for the average SME? Your first thought may be to implement a Standard.
So, what is the Standard?
Well, it's high. ISO 27001 Information Security Management is commonly accepted as the industry standard. We are undertaking this process ourselves, which takes several years and costs a significant upfront investment in audits.
Pete explained that he had also started the process for CyberMetrix. But after 18 months with little progress and not much to show for it, he canned the project.
Third-Party Cyber Risk Management
Next on the list is a TPCRM (Third-Party Cyber Risk Management). TPCRM equates to a ticket to trade with the organisation and can make it VERY hard for an SME to supply to an enterprise.
I'm not sure if you've ever received a government cyber audit during the tender process... The audits usually equate to a spreadsheet with thousands of tables, of which you have to confirm compliance and, if not, explain why.
Even as an I.T. company, I've seen the pain in our CTO's face trying to answer these. Let alone anyone who isn't running a tech business.
So, also high.
ASD Top 8
The next option is to look at government advice.
The Australian Federal Government focuses on the ASD Top 8, and this model has different maturity levels but doesn't address Cyber as a whole-of-business risk.
The last option Pete suggests is changing the way the SMEs look at Cyber. Traditionally the entry point was I.T., and therefore, this was a function of an I.T. managed service provider. Pete Suggests this is the wrong approach as the problem comes down to people and governance.
People & Governance
There are a few essential things that every business can do.
Good governance can save the company by having an incident response plan and training people on good cyber hygiene.
Regarding the models above, Pete recommends a simplified downstream TPCRM approach for enterprises, focusing on the long tail of suppliers in 2 steps:
1 - Categorise
This is about discovering the level of certification you require your suppliers to retain using a categorisation matrix.
2 - Certify
Follow the Cyber Security Certification Australia (CSCAU) process for SME suppliers to meet your defined level.
To achieve a strong supply chain, the process needs to lead from the top down.
If enterprise customers request this from their vendors, and from their vendor's vendors, in an easy a fair manner, this will improve the maturity of most SMEs.
In short, it comes down to asking yourself one crucial question; how are you validating your vendor's cyber resilience and those that support them?