Supply chain assurance and effective Business Continuity

Explaining how digital incidents severely impact the real world can be difficult, but we are increasingly seeing cyber incidents that illustrate how malicious actors can impact our daily lives. In particular, we’re seeing attacks on the most critical organisations; those responsible for maintaining the health, safety, and welfare of the public and providing us with essential products and services.

As we saw with the recent NHS incident here in the UK and the Change Healthcare incident in the US, a disruption can have cascading effects that are challenging to contain and manage. At a national level in the UK, we have institutions like the National Cyber Security Centre and industry regulators who coordinate and provide specialist support for events of national significance. But who is accountable for the effective planning and subsequent management of a major cyber security incident? Usually, it sits locally with individual organisations (underpinned by regulations such as NISD and DORA), and they need to be prepared to manage the worst-case scenario and ensure that the disruption experienced is within predefined impact tolerances.

Case study: NHS supply chain attack

There has been plenty in the news about the NHS incident, but for a quick recap: King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust were hit hardest. The disruption resulted in almost 5,000 acute outpatient appointments and 1,500 elective procedures being postponed.

It didn’t take long for the attack to be attributed to Russian cybercriminals – their way in? Through a critical third-party supplier providing pathology services. The ransomware attack meant that the supplier couldn’t access most of their IT systems; impacting everything from their ability to identify and process incoming samples, through to the actual transmission of test results.

These significant delays required a swift response by the affected Trusts and the supplier. Particularly important was the NHS Trusts’ business continuity response. Actions taken to limit the disruption caused by the cyber attack included an urgent appeal for O blood-type donors. NHS England also allowed a limited number of junior doctors to work at sites most affected, during the workforce strikes which were taking place concurrently. The disruption put strain on the wider health care system with a marked increase in Pathology services in southeast London which increased to approximately 54% of normal capacity.

The situation was further exacerbated when the threat actors uploaded 400GB of information on their darknet site to extort money from the NHS supplier, including a sample confirming that it contained patient names, dates of birth, NHS numbers and descriptions of blood tests. Handling a data breach, particularly via a supplier, adds a level of complexity where the roles and responsibilities can either be clear cut and legally enforceable, such as the notification requirements of data controllers and processors following a data breach, or more nuanced, difficult to anticipate, and outside the scope of regulations, such as the decision making process underpinning ransom negotiations between the supplier and the threat actor.

Mitigating digital supply chain risk

This incident, like many other third-party compromises, highlights the importance of supply chain assurance and effective business continuity planning. Every organisation should ensure that defined impact tolerances are not breached, and that they are well-prepared to respond and recover from disruptions. This can be a complex task, especially considering the diverse ecosystem that many organisations now must manage.

Consider the following questions:

• How do you validate the business continuity and resilience arrangements of suppliers?
• What data do they have access to and/or what shared access is in place?
• How do you manage the risks across all suppliers and what should be prioritised?
• How do you maintain continuity in the absence of critical suppliers and avoid single points of failure?
• How do you build and maintain an effective relationship with them to ensure that they make decisions with your interests in mind?

Some examples of ways you can strengthen your supplier risk management and business continuity planning include:

• Clearly outlining supplier expectations during an incident response within contracts.
• Conducting appropriate due diligence and auditing regularly.
• Assessing and prioritising all suppliers to develop a supplier risk matrix, documenting the associated activity at each tier of criticality.
• Conducting incident response exercises alongside suppliers to build and maintain relationships and confirm roles and responsibilities.

Is your organisation prepared for a cyber attack?

Any effective business continuity management system should include incident response exercises that consider critical suppliers. Best endeavours may not be enough. It’s important to evaluate the assumptions which are built into your business continuity plans, as this may limit your ability to deploy a certain workaround or strategy leading to additional business disruption and reputational damage. We’re experts in supporting our clients to effectively prepare for and respond to these types of challenges. 

Get in touch to talk to our digital resilience experts.