Two of the most well-known recent security breaches were enabled through a supplier.
The Target and Home Depot data breaches were both due to hacks into third-party systems.
Maintaining cybersecurity throughout the supply chain is critical, especially given the sheer volume of information systems and access points, and the severe impact of a breach to revenue and reputation.
To circumvent increasingly sophisticated cyber attackers, organizations should consider these key risks and best practices.
Key Cyber Supply Chain Risks
Physical or Virtual Access
A multitude of access points exists across the supply chain, from warehouse employees to software developers, all with virtual and physical access points that can expose organizations for cyber attacks.
Lower-Tier Suppliers and Contractors
Most supply chains rely on multiple suppliers along their supply chain, all of whom have access to the organization and can pose a security risk. Delays from a key supplier can have a direct impact on the bottom line if a critical product isn’t supplied on schedule. Customers and distributors further downstream may even terminate agreements if the effect is too large.
Compromised Software or Hardware
Most organizations also rely on outside parties to purchase both software and hardware, and both can serve as an access point for malicious actors. Hardware may be an inherent risk if it has been programmed with malware embedded. With many organizations still allowing a bring-your-own-device (BYOD) policy, control of these devices can vary greatly.
Third-Party Data Storage
Understanding all the paths your organization’s technology takes can be challenging due to third-party data storage. The fastest speeds may be coming from a hub in Beijing, for example, where bad actors can more easily access data.
Growing Number of Entities Involved
To stay competitive, most companies leverage more vendor relationships along the supply chain, increasing the sheer number of hands on the supply chain exponentially. More people involved means more potential points of entry or human error along the chain.
Internet of Things
Not only are more people involved in supply chains, but so are more devices, thanks to the Internet of Things. With these technologies, devices hook up to new networks, allowing new points of access and additional potential weak points along the supply chain if all devices and machines aren’t adequately maintained.
Best Practices to Mitigate Supply Chain Risks
With revenue and reputation to be lost through supply chain cyber breaches and more people and devices in the mix, organizations can embrace several best practices to help defend against potential risks.
Conduct an Assessment
With a comprehensive audit, such as the Service Organization Control (SOC) audit, organizations can more formally map the full IT system and security controls in place. First, an organization must understand its readiness. As with anything, honestly and accurately assessing your own work can be challenging at best. CIO Review advises using a third-party organization to evaluate how prepared you are for a cybersecurity attack.
Adopt a Risk Mindset
Assume that eventually, your organization will undergo a cybersecurity attack. The National Institute of Standards and Technology (NIST) states that organizations should develop defenses based on the premise that a breach is inevitable. Understand all potential areas for risks and create a plan to manage and troubleshoot them in the event of an attack. Consider risk vs. reward in every partnership made, and err on the side of caution.
Think Beyond Technology
Remember that human error often poses the greatest security risks. According to NIST, cybersecurity is a people, processes and knowledge problem, not just a technology problem. Continuously educate all employees on best practices and protocols. And, secure physical sites as well, both within your organization and every supplier involved in the supply chain.
Create an Overall Security Strategy
Once all risks have been assessed and mitigated through a security policy, ensure that the policy is formalized in writing and shared with employees and vendors alike. Include key players in developing your risk management strategy to ensure stakeholders are represented.
Include Security Requirements in the Contract
The best way to hold suppliers accountable is to formalize security requirements in both the contract and RFPs, according to NIST. As part of the onboarding process, ensure a security team works with the vendor on site to enforce security best practice compliance.
Oversee Components Purchasing
Require a pre-approval process for component purchases from vendors already in the approved vendor network. Any components purchased from someone outside the existing supplier network should be thoroughly reviewed, including X-rayed, before acceptance.
Testing
Continue to test and review for compliance regularly, as attackers will continuously be on the lookout for potential weaknesses. New vulnerabilities within the supply chain may crop up, so ensure a full test for all risks occurs more often than during a comprehensive annual review.
Automation
Any degree of automation or standardized protocol helps to reduce the risk of human error.
Personnel Training & Cybersecurity Culture
Upholding cybersecurity standards is everyone’s responsibility, so regularly train employees and hold them accountable for adhering to best practices and being mindful of potential new risks.
Legacy Support
Don’t neglect discontinued, or end-of-life, products. Ensure replacement parts for retired products and systems continue to adhere to current cybersecurity standards.
Limit Software and Hardware Access
Require secure logins, multi-factor identification, and other technology re-enforcements to confirm authorized users. And, be mindful to only grant access to users who require it instead of defaulting to everyone in a department or the organization in full.
As the supply chain continues to expand to include more people, hardware and software, organizations must remain vigilant to guard against cybersecurity breaches as a regular practice, integrated into the fiber of business operations and culture.
