Schools spend a significant amount of time and resources protecting their infrastructure and digital assets, but a substantial amount of them don’t have a good handle on the cybersecurity risk that their supply chain introduces. Like businesses, many schools rely heavily on the services that third parties supply, and ensuring that these providers prioritise cybersecurity is of vital importance. This article covers the potential weaknesses in most school’s supply chain cybersecurity, as well as the various steps one can take to ensure a supply chain remains safe and secure.
What is a Supply Chain?
In the context of education, a supply chain relates to every vendor and third-party supplier a school engages with to help them facilitate the daily running of their institution. These vendors include everything from the management and finance systems that form a foundational component of a school’s digital architecture, to HR and enrolment systems that schools make use of every day.
When trying to understand the cybersecurity implications of your supply chain, it’s important to understand the type of data and systems that are being accessed. Whilst the process of data classification is not covered in this article, understanding the different types of data (public, confidential, personal identifiable information, medical, etc.) that the various supply chain vendors manage and access, is a fundamental step in securing the supply chain.
Unfortunately, many schools don’t consider the potential security implications of a cyberattack on those third parties. Some of the recent major cyberattacks are directly attributed to supply chain security issues. Both the MediBank and Latitude Finance attacks were the result of cybercriminals gaining access through the respective supply chains, which resulted in criminals stealing vast amounts of highly confidential information.
Why is supply chain cybersecurity important?
Many schools don’t realise just how much they rely on their supply chain, and often overlook the level of access their vendors have to their sensitive data. Since there is typically minimal oversight to how much exposure there is to that data, and what the vendors are doing with that data, the potential impact of a breach via a school’s supply chain cybersecurity needs to be clearly understood.
One of the main points of confusion when it comes to securing the supply chain is a school not having an understanding about what could happen to their data if their supply chain was compromised. In most cases, there are minimal controls put in place, with no plans established to identify who is responsible for the appropriate cybersecurity incident actions that need to be taken to contain and reduce the impact of the incident.
Some school systems and functions are more exposed to supply chain cybersecurity risks than others. Below are the most common examples:
School management systems
By nature, these systems hold and manage access to extremely sensitive school data. These systems can be cloud-based, delivered as a Software as a Service (SaaS) platform. In other cases, these are hosted on-premise at the school, with updates and support performed remotely by the vendor. This remote access presents several challenges, as access is often allowed 24/7 at the insistence of the vendor, with minimal oversight of what activities are being performed on that system. This means that even if a school has significant cybersecurity in place, they are essentially blind to what is occurring on one of their most critical systems.
Outsourced services such as Finance and HR solutions
Most of these third-party providers host a school’s information in the cloud. The potential risk lies in the fact that, in many cases, no protocol has been clarified between the school and the vendor detailing who is responsible for system security including patching and data backups. This area of uncertainty can present a ‘perfect storm’ scenario with not only data being lost, but incorrect assumptions being realised.
Identity providers and enrolment systems
Because these systems are complex, it can be difficult to gain clear visibility of who has what type of access, and where different types of data resides. Do the identity documents in an enrolment process, for example, reside permanently within the vendor’s hosted system, or within the school’s managed systems? Which assets may each person access? This level of complexity makes it difficult to establish what actions people are performing with their access, and indeed, what level of access they should have. This situation poses a threat, as the potential for human error in accessing and sharing information is increased.
Safeguarding your supply chain cybersecurity
Securing the supply chain can be difficult. Luckily, there are effective ways to safeguard your school’s supply chain. Below are the most effective ways to do so:
Shared Responsibility Model
One of the most effective ways to ensure that every link in your school’s supply chain is secure, is by developing a shared responsibility model. A shared responsibility model is a mechanism that outlines the responsibilities of your cloud service providers (CSPs) with the aim of securing every aspect of your shared digital ecosystem. This includes documenting who is responsible for the major items such as backing up of important data, applying security patches and managing the underlying infrastructure, access control, and establishing Service Level Agreements (SLAs) and cybersecurity incident response processes.
Because many vendors have access to a school’s sensitive data, it’s important to screen that vendor, to ensure that they follow effective online safety practices. A simple way to do this is by ensuring that all your vendors have trusted industry accreditations. There are a range of accreditations, including industry neutral accreditations such ISO2700, or PCI-DSS.
Additionally, schools can look for education-specific accreditation such as the Safer Technology for Schools (ST4S) program. Accreditations like these prove that a vendor meets comprehensive standards for information security management. By setting a baseline that every vendor within your school’s supply chain has earned a well-regarded accreditation, you’ll be improving the security of your information and data when third parties access and engage with it. In some cases, the preferred vendor may not have any formal cybersecurity accreditation, and that’s ok. A process to perform a security assessment on that vendor should also be developed. This leads us to:
Cybersecurity Risk Assessments
A school can also assess new or existing vendors by the level of potential risk they hold, via a risk assessment questionnaire to be filled out by the vendor. Different vendors require access to different types of a school’s sensitive data and systems. Because of this, it’s recommended that a school applies a directly proportional number of controls to each vendor. For example, a detailed, thorough cybersecurity risk assessment questionnaire to a vendor that needs to access publicly available data or non-critical systems would not necessarily be required. A vendor that requires full-time administrative access to highly confidential data and systems should be expected to be interrogated in detail on their cybersecurity practices.
Contractual safety measures
Another way a school can take measures to manage their exposure is by including specific clauses in their vendor contracts. Contracts should cover the full spectrum of expectations from the school to the vendor, including data backup responsibilities and arrangements on Service Level Agreements. Schools should also include minimum safety protocols in their service level agreements, and in cases where a vendor has access to a large amount of sensitive data, could include the right to audit that vendor where appropriate, as well. Finally, conditions around joint cybersecurity incident management expectations should also be clarified.
Expert supply chain cybersecurity
NetStrategy are experts in cybersecurity for schools, including every part of the supply chain. We empower schools with a range of services, including auditing supply chains, evaluating new and existing vendors, assessing your (and your vendor’s) current security postures, developing supplier risk management programs, and setting up procedures and steps that will allow a school to take control of their supply chain cybersecurity, and efficiently manage it themselves. Contact NetStrategy today and discover how we can help you take your school’s cybersecurity to the next level.