Insider Threat Management is difficult at the best of times, let alone cascading this implementation into the supply chain. The starting point for managing this risk is to understand how and where insider risks may arise in the supply chain, as well as assessing the likely business impact. Only then can these risks start to be managed effectively. The second consideration is contracting with suppliers to set expectations and form contractual obligations on expected practices: Some organisations rely solely on contractual obligations to manage their insider risks, an approach which is fraught with danger. This article explores these risks in more detail and outlines common pitfalls encountered when developing Insider Threat Management clauses in contract schedules.
How can insider threats affecting a principal materialise in the supply chain?
In this post, I use the term ‘principal’ to reference the party engaging a third party (e.g. a supplier). Insider threats can be malicious, complacent or ignorant, and there are two ways trusted insiders in the supply chain may impact a principal:
- Principal is targeted directly by the insider – examples include supply chain attacks (ICT), issue motivated activism (e.g. anti-fossil fuels), or the introduction of SSFFC (Substandard, Spurious, Falsely Labelled, Falsified and Counterfeit) and / or non-conforming parts or components into the principal’s supply chain.
- Principal is not directly targeted but is impacted by the consequences of the event – examples might include a workplace violence incident which causes a downstream business interruption that affects quality, availability or some other service level.
Under Australia’s new Security of Critical Infrastructure Act and Rules (2022) (referred to as SOCI), critical infrastructure operators are required to more actively manage insider threats and supply chain hazards. The relevant Rules have been reproduced below:
- Personnel Hazards: minimise or eliminate material risks that negligent employees and malicious insiders may cause to the functioning of the asset (paragraph (c))
- Supply Chain Hazards: minimise or eliminate the material risk of, or mitigate, the relevant impact of: misuse of privileged access to the asset by any provider in the supply chain (paragraph (b))
To comply with these obligations, organisations need to understand the intersection of insider threats and supply chain threats and how they might manifest in practice.
What insider risks can manifest in a direct impact on the principal?
We buy products or services from our suppliers, and we may also use other third party relationships such as alliances or consortiums to facilitate business in some way. This means that insider risks can impact people, assets, information as well as products, services and quality. Examples of insider risks in the supply chain are outlined below:
|Unauthorised use or disclosure of information||May involve the following categories of information: |
a) Intellectual Property & Trade Secrets
b) Commercially sensitive information
c) Personally Identifiable Information
|Information Protection Programs|
Supervised Destruction at contract termination
|Unauthorised use or copying of molds, proprietary materials, manufacturing equipment, tools or techniques||Where a supplier uses tools and equipment provided for a permitted purpose without authorisation (relevant to Contract Manufacturers and Contract Resesarch Organisations)||Supplier Assurance / Audits|
Market Surveillance Programs
Contract clauses specifying ownership of IP
|Supplier reputation (entity)||Adverse media / reputation|
Management track record
Finances & Credit Ratings
Watchlist & Sanctions checks
Ultimate Beneficial Ownership & Control
LItigation history & enforcement action
Other checks as appropriate
|Supplier Integrity Program|
Supplier Due Diligence
Supplier Assurance / Audits
|Supplier’s employees||Potential for infiltration by hostile actors (e.g. organised crime, nation state actors) of the supplier.|
Hiring of unsuitable employees, contractors by a supplier.
|Workforce Screening Program (background checks)|
Supplier Integrity Program
Insider Threat Management Program
ICT System Sabotage
Supply Chain Attacks
|Physical Security Program|
Personnel Security / Insider Threat Program
Supply Chain Integrity & Security Program
IT Disaster Recovery
|Introduction of SSFFC & Non-Conforming Parts||Failure of, or damage to, critical assets whilst in service due to malicious insertion or latent vulnerabilities in parts, components or software.|
Unidentified cybersecurity vulnerabilities in products or systems (e.g. network back-doors).
Failure of products or components whilst operating withinin specifications.
Substitution of authentic (conforming) for inauthentic (non-conforming) parts or components.
|Supply Chain Integrity & Security Program|
Quality Assurance Program
|Intentional Interference & Contract Frustration||Supplier / service provider under-delivers or incorrectly delivers intentionally for some reason (including through economic coercion or hostile control by other nation states)||Supplier Due Diligence|
Threat and Risk Assessments
Supplier Assurance / Audits
Designing and enforcing Insider Threat clauses in contracts can be challenging
In my experience working on both supply chain security and insider threat engagements, it is common to see organisations placing a high degree of reliance on the provisions in a contract to manage these risks. Quite often these courses of action are driven by legal or procurement policy decisions in organisations which don’t fully appreciate their threat and risk environment.
Relying on contractual provisions to manage insider threats (or any other supply chain threat) means your organisation is reactive or response-driven: when you need to enact the provisions general incident or loss has already materialised, and sometimes the legal remedy may not be obtained until years after the event, during which time considerable management time, expense and effort has been expended.
In addition to the above, I regularly encounter a range of challenges with these contract clauses, including:
- Sometimes contracts are silent on Insider Threat Management, or the clauses that do exist cannot be readily or easily enforced.
- Supplier contracts often last for multiple years, and renewals may be simple extensions without using the latest templates. This can mean a patchwork of standards and obligations exist throughout the supplier base, some of which may not align to the organisations current standards and practices.
- Principal’s don’t specify their expectations of a suppliers Insider Threat Management program, which could be mitigated by providing standards and frameworks for suppliers to follow and referencing these in contract schedules.
- Sometimes the relevant clauses are in a contract but they are never audited or enforced to confirm the supply plied is actually adhering to what they agreed to. Also, suppliers may have been compliant at a point in time, but then ceased to comply due to cost pressures or management decisions.
- When dealing with the situation where there is only one or a small number of suitable suppliers globally, negotiating power is an issue. The principal may have the best intentions and a good framework to follow, but the supplier is not interested in agreeing to these clauses and refuses to sign the contract, knowing the principal will likely have to back down.
- In some cases, it may not be possible for a supplier to agree to the principal’s requirements due to the nature of legal, industrial relations, employee engagement, or culturally-acceptable practices in the suppliers jurisdiction. Workforce surveillance practices such as Used Activity Monitoring is a good example here.
As you can see, there is a lot to consider when making policy decisions on Insider Threat Management practices generally, let alone when suppliers are thrown into the mix. Effective management requires a clear understanding of the threats and risks affecting the principal and how they may impact critical assets. Only then can a risk-based management strategy be developed tailored to the principals needs and risk profile. There is often little room for a ‘one size fits all’ strategy in this scenario.
- Centre for the Protection of National Infrastructure (CPNI) (2022). Decision to Outsource – Threats in Protected Procurement – Guidance for Practitioners, UK Government, https://www.cpni.gov.uk/protected-procurement-practitioners
- Cybersecurity & Infrastructure Security Agency (CISA). Insider Threat Mitigation Resources, US Government, https://www.cisa.gov/insider-threat-mitigation-resources
- Cybersecurity & Infrastructure Security Agency (CISA). Supply Chain, US Government, https://www.cisa.gov/supply-chain
- Curwell, P. (2021). How is confidential information and trade secrets compromised? https://forewarnedblog.com/2021/06/13/how-is-confidential-information-and-trade-secrets-compromised/
- Curwell, P. (2021). Product Tampering: A form of workplace sabotage. https://forewarnedblog.com/2021/01/31/product-tampering-a-form-of-workplace-sabotage/
- Curwell, P. (2021). Building a media monitoring capability 101. https://forewarnedblog.com/2021/03/06/building-a-media-monitoring-capability-101/
- Curwell, P. (2021). How do you assess management’s track record? https://forewarnedblog.com/2021/03/27/how-do-you-assess-managements-track-record/
- Curwell, P. (2021). The USP/APEC ‘Supply Chain Security Toolkit for Medical Products’. https://forewarnedblog.com/2021/08/29/the-usp-apec-supply-chain-security-toolkit-for-medical-products/
- Curwell, P. (2021). Unpacking AS6174 in relation to Supply Chain Integrity. https://forewarnedblog.com/2021/05/30/unpacking-as6174-and-supply-chain-traceability/
- Curwell, P. (2022). Building your supplier integrity framework. https://forewarnedblog.com/2022/07/23/building-your-supplier-integrity-framework/
- Curwell, P. (2022). Understanding the risk of organised crime infiltration in your business. https://forewarnedblog.com/2022/02/01/understanding-the-risk-of-organised-crime-infiltration-in-your-business/
- Gelles, M. G. (2016). Insider Threat: Prevention, Detection, Mitigation and Deterrence, Butterworth-Heinemann, Oxford.
- United States Department of Defense (2017). Defense Science Board Task Force on Cyber Supply Chain, April 2017, Washington, D.C. https://dsb.cto.mil/reports/2010s/DSBCyberSupplyChainExecutiveSummary-Distribution_A.pdf
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.