Cyber Threats in Your Supply Chain

Risks associated with supply chain attacks have never been higher as new types of cyberattacks continue to grow and evolve. Cyber aggressors have more resources and tools at their disposal than ever before. This has considerably changed the attack surface to organizations, putting their product and service delivery ecosystems at higher risk.

“56% of organizations have had a breach that was caused by one of their vendors…” – Ponemon Institute 2018

Most organizations focus on their own internal cyber risks. Few organizations have cybersecurity programs to assess the vulnerability of their supply chains once they pass the front-end review process. 

FIVE (5) TYPES OF SUPPLY CHAIN THREATS

1. Insider Threats. Inside threat actors, including accidental insider threats, span multiple industries. According to the recent Verizon DBIR report shows overall 34% of breaches occurred as a result of an insider incident. In healthcare nearly 60%, in IT nearly 44%, and in the financial sector nearly 36%.
2. Cloud Access Mismanagement. As supply chain management software and data storage migrate to the cloud, organizations expose additional risk as they create systems of engagement outside of their perimeter. Failure to properly manage and configure cloud access can lead to serious IT and security risks, including providing users with excess privileges, or, worse, exposing cloud storage repositories to open and accessible to anyone. Cloud solutions must include strong identity and access management policies.
3. Compromised Software or Hardware. Software or hardware purchased from suppliers can have defects, deficiencies, and compromises. It is important to inventory your hardware and software suppliers. Set high standards for quality assurance including rigorous testing protocols. Through this process, you will be able to manage and potentially reduce the inherent security risks of the third-party components. 
4. IoT Sensor Compromise. IoT devices equipped with sensors accessible via the Internet are increasingly used in supply chains for inventory management and to predict machinery failures before they actually happen. However, this sensor data is another attack vector hackers can use to discover information about your supply chain, including order volumes, important supplier relationships, and more. IoT devices need to be checked and verified for security and encryption as they are implemented at all points in the IoT ecosystem.
5. Entrusting Data to a Third Party Vendor. Cloud service providers allocate significant funds to securing their systems, their reputations and livelihoods depend on it. Understandably, some companies are still reluctant to entrust important data to a third-party vendor. There are certainly increased risks in using a cloud service that doesn’t put a premium on security. It is thus critical to engage only companies that have experience in dealing with mission-critical applications and pass strict security audits. These companies often have much higher standards and more layers of security than those of the companies whose data they host.  

Sometimes cloud service providers, suppliers, and vendors have more access and privileges to your systems and data than you and your staff. In many cases, it makes sense for the cyber aggressors to directly attack the supplier. By partnering with your suppliers and through a strong third-party management risk program, you can enable monitoring and real-time assessments of your supply chain risks.

The problem gets worse when you consider security risks do not end when the supplier relationship is terminated. Former suppliers may still have retained your organization’s data on their systems. Ensure your Third-Party Risk Management program has strong and auditable processes for verifying data is permanently expunged from your terminated supplier.

Lastly, regulators are increasingly looking at third-party risks. Depending on your industry, you may need to establish logging, monitoring, and auditing capabilities of your supply chain to ensure your suppliers’ cyber security protections are up to par.

SUMMARY

Start to understand your cyber risks and exposure by examining what data you have, how and where it’s being used, and prioritizing your suppliers. Two common deficiencies of cyber risk supply chain programs are (1) a lack of understanding of the types of data and access the third party possesses, and (2) a prioritized list of suppliers. Involving your IT and security teams alongside your procurement teams that handle the logistics of assessing and onboarding the vendors will help strengthen the processes starting at the point of implementation. They should include items that give insights into what data a third party has access to, where that data resides, and who has access to it. Once you understand the criticality of the data a third party has access to, you can then prioritize the risk around that supplier.

FIVE (5) ACTIONABLE TAKEAWAYS

1. Understand Your Data. Identify the data critical to your business, and how and where it is being used.
2. Maintain Regulatory and Customer Contractual Requirements. Understand your legal requirements and compliance obligations within your industry.
3. Establish a Third-Party Cyber Risk Management Program. Develop and document a formal third-party risk management program that involves your procurement, technology, and security teams to ensure security best practices are implemented upfront.
4. Implement Logging, Monitoring and Auditing. Establish regular procedures for review and follow-up. If you are in a highly regulated industry, ensure you have the ability to audit as required.
5. Communicate. Business processes and shared data can change. Ensure you partner with our supplier and review and document changes in business processes, data, and delivery.

Author:

Laszlo S. Gonc, CISSP, First Senior Fellow, DivIHN Cybersecurity Center of Excellence.