Let’s start with a question:
Who has responsibility for cyber security in an organisation?
a) The IT department.
b) The CEO.
c) Staff who use digital products, services and systems.
d) All the above.
If you answered ‘d) all the above’, you’re correct. Cyber security is everyone’s responsibility. Therefore, when developing your cyber strategy, it’s crucial to involve and stress the accountability and leadership from the executive level, while also ensuring good security awareness and responsiveness to threats and incidents at more junior levels of the organisation. People and process are equally as important as technology when it comes to managing cyber risk.
Let’s now consider cyber security when it’s applied to a supply chain, where one organisation relies on another organisation for products or services. That second organisation need not even be a technology provider—they could be a bricks and mortar shop that uses commercially available software and apps to run the business. What information might that business hold about its customers? Consider information such as customer names, contact details, account details and addresses. How and where is this valuable data stored? Who is storing it for the business? What protections are in place to safeguard customer data?
If we consider the interconnectedness of modern business, including Government’s reliance on external services and suppliers, we quickly realise that digital supply chains are large, complex and most importantly, vulnerable. They include third party (and fourth, fifth, etc. party) apps and providers in the supply chain. An attack on one organisation in a supply chain can expose valuable information of thousands of other organisations, precluding the need to directly breach those organisations to steal their information. This interconnectedness, and the breadth of information contained within one chain, makes indirect supply chain attacks attractive to malicious attackers. For example, the 2023 ransomware attack on HWL Ebsworth, a professional services provider to Australian Government, breached information, information included sensitive personal and government information of 62 government entities that had been held by the firm.
Government entities need to address cyber security as a team effort in partnership with suppliers. Supply chain cyber security can’t be achieved by individual entities or organisations securing their own systems alone. The requirements that Government entities must comply with include those in Figure 1.
The Australian Government Protective Security Policy Framework (PSPF) underscores the responsibility of entities to manage security risks in their supply chains. Policy 6 is titled ‘Security governance for contracted goods and service providers’. Policy 6 mandates that entities are accountable for security risks arising from procuring goods and services. Compliance involves applying Government’s security requirements to an entity’s contracted providers. Entities should use their procurement processes, well-drafted contracts, contract management, and periodic monitoring of provider security health to implement Policy 6. For example, this could involve:
- establishing adequate security measures at the outset in new contracts (which may require collaboration between an entity’s procurement / contract managers and its security / technical advisors);
- monitoring security health measures throughout the contract (which may require collaboration between an entity’s business managers and security / technical advisors); and
- contract closure activities (discussed below in the Improve Phase of the Proximity Contract Lifecycle).
The Commonwealth Procurement Rules (CPR) specifically recognises security risk, including in relation to cyber security, as a risk to be managed throughout the procurement process, in accordance with the PSPF (CPR 8.3). The Australian National Audit Office (ANAO) recently analysed compliance with PSPF Policy 6 and found that 51% of non-corporate Commonwealth entities had not fully implemented PSPF Policy 6 in 2020-21. This finding underscores the importance of uplifting security risk awareness and management in Government, and ensuring appropriate collaboration between technical and non-technical teams within entities, and between an entity and its suppliers, when procuring, managing and closing out contracts.
Proximity’s Contract Lifecycle in Figure 2, encompasses four phases which each offering valuable opportunities for entities to establish effective security governance when contracting with external providers. The following key steps illustrate the significant role that procurement advisors, contract lawyers and contract / business managers should play in implementing supply chain cyber security for their entity, liaising with technical security advisors if needed.
1. Design phase: Security by design
- Procurement planning, market research, and approach to market (ATM) preparation should incorporate clear security requirements. Considerations include what the entity is buying, who will use it, how it will be used, what information will be stored/processed, sensitivity of information, business impact if compromised and, what protections are needed to mitigate data breach risk.
- Collaboration between procurement and security advisors may be necessary to complete a risk assessment, then articulate security requirements to mitigate risk.
- Key ATM documents, including tender evaluation criteria, questions for tenderers, and contract clauses, should reflect security considerations based on the PSPF Policy 6 guidelines.
2. Approach phase: Releasing requirements to market
- What is the sensitivity of information to be released to tenderers? Is it appropriate for public release or should measures to restrict access to confidential information be put in place?
- If needed, consider access controls such as tenderer identification and registration requirements, confidentiality deeds, data rooms and limited tender procurements as ways to control information release, while balancing procurement requirements such as non-discrimination and competition (CPR 5). Entities are not obligated to release confidential information (CPR 10.7).
3. Select phase: Identifying the preferred supplier
- Value for money involves considering the overall benefits offered by a supplier against the risks that the supplier poses to an entity. This includes financial and non-financial costs and benefits associated with the procurement (CPR 3.2).
- Evaluation of tenders should include predefined security criteria. If security was not included as a criterion at the Approach Phase, it should still be considered as part of the overall risk assessment for an evaluated tender.
- If specialist technical / security skills are needed to evaluate security risk, include them in the tender evaluation plan and evaluation team. Ensure it is clear to them which criteria they are to evaluate, and document reasons.
4. Improve phase: Contract management and closure
- Actively monitor supplier performance and security compliance. Establish rapport to achieve trust, to foster cooperative discussions around threats and responsive disclosures of breaches. Contract / business managers may need to involve technical / security advisors to manage supplier security health collaboratively.
- As the contract nears its expiry or termination, complete closure and offboarding activities appropriate to the level of risk posed by information accessed and held by the supplier. For example, outgoing security briefings to supplier personnel, signed security declarations, return of physical access passes, cancelling systems access, and deletion or destruction of information held by the supplier.
The adage ‘a chain is only as strong as its weakest link’ neatly captures the risk that all organisations, public and private, face today. Achieving supply chain cyber security relies on a collective effort that spans across all organisations involved in collecting, storing and processing a customer organisation’s data. It goes beyond traditional IT and security roles, relying on non-technical roles including business managers, contract managers, procurement advisors, and contract lawyers to collectively manage the risk. The key is to be informed, not afraid, when it comes to tackling cyber security risk.
Reach out to us at Proximity for effective and practical ways to uplift security with your supplier network. Our Procurement & Contracting, Commercial Law and Transformation teams are experienced in establishing security governance and implementation with Government and regulated entities.
Key Points
- Tackling supply chain cyber risk is a team effort. Non-technical procurement managers, contract lawyers and contract/business managers have a large role to play.
- People and processes are equally as important as technology in managing security risk.
- Security by design involves planning and engaging early. Procurement, legal and security teams need to work together collaboratively to identify security requirements, build them into contracts, monitor and close out.
- Use each phase of the Contract Lifecycle to establish and address security.
- Assign clear roles and responsibilities for business, procurement, legal and security teams. Who’s doing what, when?
Government entities need to address cyber security as a team effort in partnership with suppliers. Supply chain cyber security can’t be achieved by individual entities or organisations securing their own systems alone.