• Most businesses simply accept that their suppliers are cybersecure.

• Product certification should be replaced with a focus of ensuring an entire organization is secure.

• The INCD's new app helps implement stronger cybersecurity auditing and certification.

As most small and medium-sized enterprises (SMEs) are run on a low operational budget, most do not invest adequately in cybersecurity. Hence, they are becoming preferred targets for cybercriminals, either as direct targets or as an attack vector to reach the bigger businesses, government agencies or critical infrastructures they are supplying to. We are currently witnessing a surge in supply chain cyberattacks, both in number and in sophistication.

The importance of SMEs is beyond question: According to ENISA, they are the backbone of the EU economy, representing 99% of all businesses and employ about 100 million people. The US economy is no different percentage-wise. SMEs provide services and products to bigger businesses and to the population at large. So as crucial parts of the supply chain, they must be protected from cyberthreats.

During research conducted by the Israel National Cyber Directorate (INCD) conducted, many SMEs complained of too many different requirements by different customers and regulators. Big enterprises invest a lot of resources in defining their own requirements for cyber-risk management according to standards like the ISO 27036, 800-161 and others, yet, often settle for suppliers' declarations rather than insisting on valid audit results. According to the ISO survey, in 2019 only 36,362 organizations worldwide were certified to ISO 27001 – an international standard that stipulates over 100 different controls for managing information security.

Recognizing the risk across the board, the UK’s National Cyber Security Centre (NCSC) published supply-chain security guidance for businesses to be more in control of cybersecurity. The guidelines are quite thorough and educate the businesses on how they need to understand and manage risk originating with suppliers – but much of the work required is left to the businesses themselves.

A recent INCD audit, showing how many of the organization's individual cybersecurity controls complied with the standards required
A recent INCD audit, showing how many of the organization's individual cybersecurity controls complied with the standards required
Image: INCD

There are different approaches to achieving stronger cybersecurity, primarily by certifying products and services. We would argue that to complete the process, we need to upgrade the overall level of cyber-hygiene of suppliers as organizations, and not merely their specific products.

Assuring that products bought via the supply chain are certified and cybersecure is of course an important layer. However, product certification might be relevant to a specific version and might lose relevancy on the next. It is imperative to complement the security scheme with a certification scheme for providers from the point of view of the customer. Businesses need to be sure that the providers they rely on are keeping a standard default level of cyber-hygiene that reduces risks significantly.

Gaps in the current framework

What to check

The existing certification framework includes various standards like ISO 27001, NIST and other IT security standards that relate to IT security, most couched in a language that is general. But there is a need for a detailed and clear language that is more cyber-specific than the current generic framework. The cyber domain is very dynamic, one in which malicious activity is developing constantly. There is a need for defined controls that are being constantly updated according to the evolving risks and TTPs (Tactics, Technologies and Procedures).

How to certify

While general standards that relate to “How to certify an organization” exist, they are not cyber-specific enough. The same standards, such as ISO 27002, exist for certifying an organization for environmental norms or cybersecurity, and we would argue that cyber is distinct and merits its own detailed standard.

There are different ways to check if a control is well implemented in an organization. But we should have more detailed and clear procedures to check and verify that the relevant controls have been enforced, using relevant and defined tools of audit. Moreover, there should be periodic monitoring of the supplier even after the initial certification to make sure it is adapting to changes.

Who is checking

Obviously, there are excellent certifiers that are well experienced and most suitable for the job; however, in most countries there are no minimum official requirements needed to serve as certifiers. There is a need for a basic requirement scheme for cyber certifiers.

As commerce is global, there is a need for a widely accepted framework for a reliable accreditation-certification process in cybersecurity that is continuously updated and is evidence -based. Governments and the private sector, working together, have a responsibility to close that gap, establish an accepted framework and mutually recognize such similar frameworks in like-minded countries.

The Israeli case study

The INCD has worked to address those gaps with the domestic market, listening to and consulting with businesses from different sectors, regulators, certifiers and organizations. The result was the successful implementation of a framework, which consists of two layers of certification, implemented using an online application designed by the INCD.

Each supplier registers to the application, and answers a practical and detailed questionnaire based on ISO 27001 and NIST standards, and includes specific instructions on what controls to check and how to do so. The INCD is continuously analyzing cyberattacks and TTPs, and promptly updates the Cyber Defense Methodology and the specific requirements on the app itself. The app analyzes the results and comes up with a map of scores. The results can be shared with specific customers. This is the first layer of self-assessment, which is much more relevant and specific than a mere supplier's declaration or a general checkup.

The second layer is the certification layer, where a certified external auditor verifies that the questionnaire was filled in correctly. Those certifiers have been accredited by an accreditation body; in Israel, the INCD.

A risk-based framework worldwide

The ideal situation would be for a broad swathe of countries to agree on such a questionnaire and use a global system. Customers from one country could rely on certified suppliers in another, and be sure that these suppliers have been cleared according to specific, detailed and updated requirements by professional and certified auditors.

An important step towards this would be establishing an accreditation-certification scheme accepted across many countries. This would include an accreditation scheme for official certifiers, a certification scheme for suppliers, as well as the widely accepted procedure for certification, with periodic updates and frequent checks. Such a procedure would relate to current specific threats, to the necessary tools to control them, and to standards of action required.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum's Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.

Our community has three key priorities:

Strengthening Global Cooperation - to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience - to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

The recent global attacks, like the ones on SolarWinds, Orion and others, have demonstrated the risk to global businesses from their supply chain. There is a missing layer in the current framework for product certification – one that goes beyond that standard. Our alternative framework addresses that gap by relating to suppliers as organizations, and enhances trust between customers and suppliers. Let us move from compliance-based schemes to a more risk-based framework.