Insiders Outside: Is your supply chain your biggest vulnerability?
Recently, news broke about sabotage on a Royal Navy warship under construction at a Scottish shipyard. According to BAE systems, the company responsible for building the ship, dozens of cables were ‘damaged intentionally’. The UK Defence Journal has suggested that they may have been cut by a contractor involved in a payment dispute.
At Blacksmiths, we systematically collect information about cases relating to all types of insider activity, from data theft, fraud, ransomware facilitation and personal misconduct to unauthorised disclosure, data sabotage and physical sabotage. Oddly enough, cases of physical sabotage like the BAE case are relatively rare – an exception is the notorious case of Vitek Boden, a disgruntled engineer who had been employed at an Australian sewage management plant, and in response to being turned down for a job, hacked into his former employer’s control systems and discharged 265000 gallons of raw sewage into local parks and rivers.
Outsiders: The unseen insiders
What the BAE and the Boden physical sabotage cases have in common is that both were carried out by contractors. When we conduct assessments of insider risk controls, clients often describe to us the robust processes they have in place for their staff. Screening, management oversight, access controls and system monitoring measures are all present and correct. But ask them about their controls for contractors and temporary staff, and they start to look a little uncomfortable. Mention controls for people working for supplier companies, and you get blank looks. And best not even to bother raising people working for sub-contractors …!
I still find this surprising. The shift to outsourcing and the reliance on specialist companies to deliver services has been going on for years now. It was one of the major changes I witnessed during a long career in Government. It appears companies are happy to have people in their buildings and on their IT systems who work for someone else, and to grant accesses to people from external companies so they can manage the IT or keep the heating on. But they haven’t quite worked out how to ensure that they know who these people are and that they don’t have the means or the motivation to do them harm.
Is reliability the issue?
Some people argue that contractors and suppliers are innately less reliable than employees, and thus more likely to become insiders. The case of Edward Snowden, the NSA contractor who leaked millions of US top secret documents, has reinforced this perception. It is suggested that contractors typically spend less time in an organisation than employees do and so don’t develop such strong bonds to colleagues or such strong loyalty to the mission. And supplier staff don’t work within the organisation at all. But I wonder how accurate a picture this is, and indeed whether it slightly misses the point.
In government, some of our contractors ended up staying around for an awfully long time, and becoming very closely involved with the department they were working in. Suppliers took pride in their work and were motivated to do a good job. Meanwhile, some new recruits didn’t stick around for very long at all! It is also worth pointing out that loyalty and commitment can be a double-edged sword. When a person who has worked for 30 years for an organisation feels badly treated or let down by their employer, their sense of grievance can be acute. The contractor who has worked there for six months and will soon be moving on may find it easier to shrug such things off.
Scrutinising the data
So, are contractors and supplier staff more of a risk to your organisation than employees? The truth is that it is very hard to tell from the data that is out there. The 2020 Kroll Global Fraud and Risk Report suggested that third parties were the perpetrator in 30% of reputational damage cases. Meanwhile, the 2022 IBM / Ponemon Cost of Data Breach Report survey found that 19% of data breaches were caused by suppliers or business partners (interestingly these took on average 13% longer to identify than cases perpetrated by staff). But it is hard to draw conclusions from these figures without knowing what the overall ratio is of employees to contractors. And the figures may also be skewed if multiple companies are each reporting the same breach by a single supplier company. But what we can safely assume is that contractors will be more of a risk if they are not managed properly.
The role of external threat actors
We also know that that external threat actors are quick to spot the opportunities presented by suppliers. If you find that your target has strong cyber defences or that you cannot identify, trick, or coerce their staff to help you – why not see if you can get in via their suppliers? The catastrophic Solar Winds ‘Sunburst’ attack in 2020 was a high-profile case in which hackers managed to gain access to US Government systems by manipulating software provided by a third party. Only last week holders of university pensions in the UK were informed that their personal data had been stolen thanks to an attack on the systems of a third-party provider, Capita.
The limitations of supply chain security
In response to incidents like these, Supply Chain Security has developed as a discipline, with its own ISO standard (2800) and excellent advice from NCSC and NPSA. Most companies now insist on high cyber security standards from anyone they take on as a supplier. But as ever, it is easier to apply controls to data, systems, and endpoints than it is to human beings.
So why is it so hard to manage risk from people in the supply chain? To some degree I think it is the nature of business. Alongside responsibility for delivery, risk is also passed to an external party – it is part of what they are paid for. Organisations are reluctant to take on responsibility for other people’s employees and don’t know what actions they are empowered to take to manage the risk that such people bring with them. Snowden’s case threw up a whole host of control failings that contributed towards the failure to prevent catastrophic data loss – a lack of clarity about who was responsible for managing Snowden being one of the most egregious. But it’s hard. One of our clients has more than 50,000 organisations involved in their supply chain. How on earth do you keep tabs on all their people?
What’s the answer?
We have just completed creating a maturity assessment tool for Personnel Security in the supply chain. It is made up of an impressive thirty-three indicators of good practice. But as so often in security, it boils down to focussing effort where the risk is greatest and getting people in different stovepipes to accept responsibility and to work together. In this case commercial and procurement teams, business managers, security, and HR need to collaborate within the contracting organisation. The same people need to collaborate in the supplier organisation. And they all need to cooperate with each other.
About the author
Malcolm Sparkes is head of the insider risk consultancy in Blacksmiths group. He previously held a number of senior security roles within UK Government, including running vetting within the FCDO.