Combat Threats With Supply Chain Security & Risk Management
Threats to your business are everywhere: employees, vendors, and hackers. This is where supply chain security becomes critical to a robust security strategy.
What is supply chain security? It is a term encompassing how a business’s supply chain can reduce physical and cyber threats both internally and externally. These threats can include anything from physical theft to hackers breaching your network.
What Is Supply Chain Security for IT and Data Systems?
Historically, the term “supply chain” has referred to a specific set of logistical practices around moving goods and services from one location to another—that is, it had a specific physical context. Even today, “supply chain” often applies to the shipping, logistics, trucking, and travel lanes that support the movement of goods from one place to another.
In terms of digital systems and infrastructure, supply chain also refers to the hardware, software, cloud platforms, and security measures in place to support data-driven businesses and government organizations. These supply chains manage the movement of perhaps the most critical asset any organization has in our modern digital world: data. Major digital supply chains include those in banking and finance and government service and defense contracting.
There are similarities between traditional and digital supply chains. For example, many manufacturers rely on upstream supply chains where components flow into a central location to support the creation of larger objects, such as cars and industrial equipment. Likewise, the digital supply chain relies on the upstream flow of cloud and managed services to support larger operations in the industries discussed previously. Platforms like Salesforce, Microsoft Azure or Office 365, and AWS Cloud Services bring functionality like storage, analytics, security, network support and analysis, and even AI or machine learning to businesses that incorporate them into more comprehensive logistics.
IT professionals have been keenly aware of the increasing number of digital supply chain attacks in the past few years. State-sponsored attacks against digital supply chains, particularly through upstream hacks, are becoming the primary front in modern cyber warfare. In response, supply chain risk management is now a strategic undertaking for many organizations.
We see several common forms of threats and vulnerabilities increasingly impacting digital supply chains:
- Security Gap Exploitation: Even as technology evolves, many of our worst practices remain in effect. One of the more common ways that hackers gain access to systems for malicious purposes is by exploiting bugs, backdoors, or well-known vulnerabilities that are ignored for one reason or another.
- Vendor Relationships: The fallout of modern hacks isn’t limited to the company itself. Many cloud providers have an extensive client base that includes private companies and government agencies. Attacks against cloud infrastructure can cause a domino effect due to relationships with various businesses and organizations.
- Lack of Knowledge or Training: Unfortunately, one of the weakest points of any digital supply chain is usually the people involved. A lack of training in choosing strong passwords and recognizing phishing attacks can lead to the complete destabilization of a business and its customers.
- Active Persistent Threats (APTs): The most threatening form of a security breach is an APT. These threats do not simply infect and tear down a system. They are sophisticated programs that burrow into a system, move laterally across an organization, then upstream, all while avoiding detection. Once in, they can monitor all system events to steal data for weeks, months, or even years before being identified.
Data breaches are costly events that can completely destabilize your business, as well as your partners’ businesses. Per IBM and the Ponemon Institute, the average cost of a data breach is $4.24M, but that number doesn’t address the additional costs in time, effort, and reputation.
Is Cybersecurity Enough for Supply Chain Security?
The short answer is no. Simple cybersecurity efforts will often only scratch the surface of what vulnerabilities potentially exist in a supply chain. Instead, organizations must focus on security across multiple fronts:
- Vet Prospective Vendors and Evaluate Existing Vendor Relationships: Your vendors should, at a minimum, meet your security expectations whenever handling your data. Furthermore, they should be willing and able to demonstrate their compliance with your requirements via regular assessments and evaluations. Finally, your IT leadership should have annual evaluations baked into any vendor contracts to ascertain third-party risk.
- Active Cybersecurity Testing: You must implement and undergo regular tests across all systems. This can mean performing regular penetration tests, red team exercises, or some combination of clearly planned system tests to expose vulnerabilities across several interconnected layers of your system.
- Regular Scanning, Monitoring, and Updating: You can and should use regular vulnerability scans outside of regular testing. While vulnerability scans aren’t as thorough as penetration tests, they can be performed more often to expose shallow vulnerabilities as they emerge.
- Understanding Compliance Standards: While compliance regulations like HIPAA and CMMC, in and of themselves, won’t cover all of your security requirements, they do provide a good framework of what experts in your industry see as major threats and security priorities. Furthermore, you can look outside your industry to frameworks like NIST CSF and ISO 27001, among others, to see how professionals use risk assessments and monitoring practices to secure their systems.
- Securing Physical Locations: Don’t take for granted how vulnerable your physical locations may be. A stray laptop or unsecured door can give attackers or malicious insiders a way to steal information. Password protect all devices, ensure that these devices use encrypted communications and secure connections, and protect data centers and workstations with cameras and locked doors.
What Are Some Best Practices for Achieving Supply Chain Security?
To best approach supply chain security, it’s important to understand the big picture. There are a few best practices to consider when securing your data across the digital supply chain:
- Understand Your Assets: You should be able to map out your assets, data, vendors, and all connecting technologies and infrastructure. There should never be a reason that your inventory or catalog of resources is not up to date. You can’t protect what you can’t see.
- Embrace Risk Management: Supply chain risk management (SCRM) is the art and science of understanding and balancing the differences between your existing security controls, your potential vulnerabilities, your regulation requirements, and your business goals. A risk-based approach can help you better understand your security landscape and where you need to address problems.
- Take a Hands-on Approach to Vendor Relationships: As stated earlier, you should have a clear map of all vendor agreements and relationships, including regular audits, reviews, and assessments due to upgrades or technology changes. This approach can help you mitigate challenges due to vulnerabilities from partners and upstream cloud or managed services.
- Understand Compliance: Know what compliance standards you must meet, and if possible, exceed them to bolster security.
- Strive for Complete Visibility: Monitor systems, system events, technologies, upgrades, and anything required to best understand who has access to your data, what they do with it, and how they protect it. Include contractors, suppliers, vendors, and even regulators and customers in your monitoring and improvement plans.
Supply Chain Security Is a Common Good and Responsibility
Supply chain security is a necessary practice for any business, not just large enterprises. As my Chief Product Officer said, “You’re only as interesting as your most interesting customer.” Sophisticated attackers—whether organized crime syndicates or nation-states—learned long ago they have a better chance getting to your data indirectly, through your supply chain partners.
You can significantly mitigate supply chain risk if you understand your regulations, your infrastructure, and your vendor relationships. Use supply chain risk management best practices to build or bolster your broader security program. Continually monitor systems, understand upgrades and patches, vet and evaluate your vendors, and constantly train your employees to stay ahead of vulnerabilities as much as possible.