Speaking on a panel at the TEISS conference in London on the theme of threats in the supply chain, chair Raef Meeuwisse asked where the supply chain sits in a company’s overall risk.
Mike Seeney, head of supply chain information risk at Pinsent Masons, said that it is typically very high, as it is common that you will be breached via social engineering or the supply chain. “In the last few years we have had advances in technology, and the best way is through people or the supply chain,” he said. “This is a dedicated function and you need to have recognition of that.”
Quentyn Taylor, director of information security at Canon EMEA, said that this is now part of infosecurity risk, and while the infosec team should own the risk, they may not rate it too highly. “We trust third parties as we buy from them, but we should consider the third parties of the third parties,” Taylor said.
Holly Grace Williams, technical director at Secarma, said that the conversation should be on where you draw the line, and who takes ownership of the risk, while Naina Bhattacharya, director of cybersecurity for EMEIA at EY, said that, 10 years ago, this sort of risk was being taken seriously by payment card companies as they saw fraud, but the introduction of consumer products and compliance frameworks has changed attitudes.
Asked by Meeuwisse about how far contracts can protect you, Taylor said that “virtually not at all” as contracts “can be a useful way to start a fire” as ultimately the company who offers a contract has not got your back.
In order to better protect yourself, Bhattacharya said that you should have a foundation in place, and she acknowledged that this “can be a big step forward” but a way for you take care of risk.
Focusing briefly on the theme of Huawei, Meeuwisse said that there is guidance offered from government, but acknowledged that global standards are needed.
Concluding, Bhattacharya said that supply chain has “been a problem for a while and will continue to be one” while Williams recommended reviewing what level of access you’re sharing, and Taylor suggested picking “a simple model and be prepared to change” to follow a way of working.