Protecting the global supply chain: A shared responsibility
Supply chain attacks have dominated news headlines in 2021. From SolarWinds to JBS Foods, cybercriminals are actively targeting national and international supply chains, causing widespread disruption and financial impact. Attackers understand that organizations have less control over and visibility into the security controls of a supply chain -- controls that are typically limited to legal contracts rather than true and comprehensive security policies and procedures. Common cyber supply chain risks and threats include third-party access to IT systems and weak cybersecurity practices of smaller suppliers.
Now more than ever before, protecting every part of the supply chain must be a top priority for both public and private sector organizations globally. To do this effectively, it is important to remember that securing any supply chain cannot be successfully achieved through the work of only an IT department or team. While they do play a significant role, cyber supply chain risks touch upon many different areas. Therefore, a more comprehensive, shared responsibility approach is required.
So, what can companies and government agencies do to create supply chains that are more resilient against cyber-attacks?
1. Compliance Standards
It is inherently important that every vendor within a supply chain adheres to their applicable industry compliance standards at the very minimum. Whether it be HIPAA (healthcare), PCI-DSS (retail), or ITAR (military), these standards ensure that data is managed and secured properly. Prior to adding a new vendor to their supply chain, organizations may want to consider conducting independent third-party security audits on potential supply chain vendors to ensure that they are compliant. However, as we have witnessed, simply being compliant is not enough. It is important that security is not a checkbox but a mindset on how to operate the business. If you make security your lifestyle and incorporate it into your business culture, it will significantly reduce the risks and help make a compliance audit easier.
2. Diligently Evaluate
In addition to ensuring compliance, organizations should also evaluate the general cybersecurity practices, and procedures suppliers have in place. Ask your suppliers questions. How do they ensure security throughout the entire product/service lifecycle? What physical security measures do they have in place, and how is this documented and audited? This will help dictate the security posture of any given supplier. If a vendor is accepted into a formal supply chain and some security gaps have been evaluated at the onset, an organization's security team should work with them to address these vulnerabilities and security gaps. Security by design is a great idea, but we must go further, practicing security by default.
3. Create Enforceable Terms and Conditions
Companies should consider going one step further by creating their own list of security specifications, controls, and standards which must be met by all subcontractors, vendors, and supply chain partners, which are highlighted and agreed to when a business contract is signed. This may include requiring vendors to disclose past (and future) security incidents in a timely manner and/or the implementation of specific security software. We are only as secure as the supply chain around us, and that means we all must work together and share security intelligence and best practices.
4. Limit Access and Least Privilege
Organizations can also significantly strengthen the security posture of their supply chain by limiting the network access of all its vendors, adopting a least privilege approach. Each vendor's role and responsibility within a supply chain must be evaluated, and every vendor should only be given enough access to fulfill their role. Access to software and services should be limited to a few select vendors, and all vendor activity must be continuously verified and then authorized.
5. Educate Employees Creating a Cybersecurity Culture
It goes without saying that IT security systems will not be able to secure data unless employees throughout the supply chain follow cybersecurity best practices, such as strong passwords. Lately, we've been reminded constantly about how poor and weak password choices can have a knock-on impact on dozens of other organizations within a supply chain. All vendors, suppliers, and contractors should focus on educating their employees on the cyber risks specific to their supply chain environment and work together to limit vulnerabilities.
No single organization alone can win against cybercrime and cyberattacks. A cross-cultural, collaborative approach is the only way to tackle cybercrime, reduce risk and improve overall resiliency. An approach where organizations and their leaders continually work together with the utmost transparency. Always remember that the security of a supply chain is only as strong as its weakest link. We must get back to the reality that cybersecurity does not stop at your employees and the assets you own but in the society around your organization, thus meaning that the supply chain is one of those top risks that we need to prioritize.
Image Credit: Manczurov/Shutterstock
Joseph Carson is Chief Security Scientist and Advisory CISO at ThycoticCentrify