by Yuval Segev and Yosi Aviram*
As most small and medium-sized enterprises (SMEs) are run on a low operational budget, most do not invest adequately in cybersecurity. Hence, they are becoming preferred targets for cybercriminals, either as direct targets or as an attack vector to reach the bigger businesses, government agencies or critical infrastructures they are supplying to. We are currently witnessing a surge in supply chain cyberattacks, both in number and in sophistication.
The importance of SMEs is beyond question: According to ENISA, they are the backbone of the EU economy, representing 99% of all businesses and employ about 100 million people. The US economy is no different percentage-wise. SMEs provide services and products to bigger businesses and to the population at large. So as crucial parts of the supply chain, they must be protected from cyberthreats.
During research conducted by the Israel National Cyber Directorate (INCD) conducted, many SMEs complained of too many different requirements by different customers and regulators. Big enterprises invest a lot of resources in defining their own requirements for cyber-risk management according to standards like the ISO 27036, 800-161 and others, yet, often settle for suppliers’ declarations rather than insisting on valid audit results. According to the ISO survey, in 2019 only 36,362 organizations worldwide were certified to ISO 27001 – an international standard that stipulates over 100 different controls for managing information security.
Recognizing the risk across the board, the UK’s National Cyber Security Centre (NCSC) published supply-chain security guidance for businesses to be more in control of cybersecurity. The guidelines are quite thorough and educate the businesses on how they need to understand and manage risk originating with suppliers – but much of the work required is left to the businesses themselves.
There are different approaches to achieving stronger cybersecurity, primarily by certifying products and services. We would argue that to complete the process, we need to upgrade the overall level of cyber-hygiene of suppliers as organizations, and not merely their specific products.
Assuring that products bought via the supply chain are certified and cybersecure is of course an important layer. However, product certification might be relevant to a specific version and might lose relevancy on the next. It is imperative to complement the security scheme with a certification scheme for providers from the point of view of the customer. Businesses need to be sure that the providers they rely on are keeping a standard default level of cyber-hygiene that reduces risks significantly.
Gaps in the current framework
What to check
The existing certification framework includes various standards like ISO 27001, NIST and other IT security standards that relate to IT security, most couched in a language that is general. But there is a need for a detailed and clear language that is more cyber-specific than the current generic framework. The cyber domain is very dynamic, one in which malicious activity is developing constantly. There is a need for defined controls that are being constantly updated according to the evolving risks and TTPs (Tactics, Technologies and Procedures).
How to certify
While general standards that relate to “How to certify an organization” exist, they are not cyber-specific enough. The same standards, such as ISO 27002, exist for certifying an organization for environmental norms or cybersecurity, and we would argue that cyber is distinct and merits its own detailed standard.
There are different ways to check if a control is well implemented in an organization. But we should have more detailed and clear procedures to check and verify that the relevant controls have been enforced, using relevant and defined tools of audit. Moreover, there should be periodic monitoring of the supplier even after the initial certification to make sure it is adapting to changes.
Who is checking
Obviously, there are excellent certifiers that are well experienced and most suitable for the job; however, in most countries there are no minimum official requirements needed to serve as certifiers. There is a need for a basic requirement scheme for cyber certifiers.
As commerce is global, there is a need for a widely accepted framework for a reliable accreditation-certification process in cybersecurity that is continuously updated and is evidence -based. Governments and the private sector, working together, have a responsibility to close that gap, establish an accepted framework and mutually recognize such similar frameworks in like-minded countries.
The Israeli case study
The INCD has worked to address those gaps with the domestic market, listening to and consulting with businesses from different sectors, regulators, certifiers and organizations. The result was the successful implementation of a framework, which consists of two layers of certification, implemented using an online application designed by the INCD.
Each supplier registers to the application, and answers a practical and detailed questionnaire based on ISO 27001 and NIST standards, and includes specific instructions on what controls to check and how to do so. The INCD is continuously analyzing cyberattacks and TTPs, and promptly updates the Cyber Defense Methodology and the specific requirements on the app itself. The app analyzes the results and comes up with a map of scores. The results can be shared with specific customers. This is the first layer of self-assessment, which is much more relevant and specific than a mere supplier’s declaration or a general checkup.
The second layer is the certification layer, where a certified external auditor verifies that the questionnaire was filled in correctly. Those certifiers have been accredited by an accreditation body; in Israel, the INCD.
A risk-based framework worldwide
The ideal situation would be for a broad swathe of countries to agree on such a questionnaire and use a global system. Customers from one country could rely on certified suppliers in another, and be sure that these suppliers have been cleared according to specific, detailed and updated requirements by professional and certified auditors.
An important step towards this would be establishing an accreditation-certification scheme accepted across many countries. This would include an accreditation scheme for official certifiers, a certification scheme for suppliers, as well as the widely accepted procedure for certification, with periodic updates and frequent checks. Such a procedure would relate to current specific threats, to the necessary tools to control them, and to standards of action required.
The recent global attacks, like the ones on SolarWinds, Orion and others, have demonstrated the risk to global businesses from their supply chain. There is a missing layer in the current framework for product certification – one that goes beyond that standard. Our alternative framework addresses that gap by relating to suppliers as organizations, and enhances trust between customers and suppliers. Let us move from compliance-based schemes to a more risk-based framework.
*Director, Advanced Technology, Israel National Cyber Directorate and Director, Cyber Cooperation, Israeli National Cyber Directorate
**first published in: www.weforum.org