Cybersecurity is a looming and persistent threat to supply chains, thanks to the interconnectedness of our third-party vendors and growing threats by digital terrorists.
A recent study from NCC Group shows supply chain attacks increased by 51% in the last six months of 2021. IBM reports manufacturers are the top sector for extortion by cyber terrorists via ransomware. More than half of cybersecurity breaches occur in the supply chain through third-party suppliers, with an average data breach cost of $4.46 million, according to IBM.
The National Institute of Standards and Technology (NIST) says, “Cybersecurity in the supply chain cannot be viewed as an IT problem only. Cyber supply chain risks touch sourcing, vendor management, supply chain continuity … and many other functions across the enterprise.”
What are the cybersecurity risks to supply chains, and what can you do about them?
Supply Chains and Cybersecurity: A Growing Concern
The complexities of our ever-changing IT networks and the infrastructures of customers and suppliers make it hard for organizations to consistently apply a robust, up-to-date cybersecurity footprint, especially when there are so many risks from so many directions.
Businesses must interact regularly with other companies that supply the goods we offer customers. The same partnerships create IT security risk.
KPMG says cyber criminals can infiltrate supply chains from several different points:
- Via your supplier network, targeting vulnerabilities in their systems.
- Through basic warehouse equipment such as Internet of Things (IoT sensors).
NIST says supply chain cybersecurity risks stem from:
- Third-party vendors with physical or virtual access to your information systems
- Poor IT security practices by your lower-tier suppliers
- Supplier-purchased software or hardware with security compromises
- Software vulnerabilities in supply chain management systems
- Hardware with embedded malware (such as in warehouse sensors)
- Data stored within third-party systems
Six of the most common reasons for a data breach stemming from the supply chain include:
- A lack of multi-factor authentication (MFA). MFA is a multi-step verification process to ensure the human accessing your system is who they say they are.
- Limited visibility into stored system data. Our customers, suppliers and distribution companies often work with multiple data repositories. Each offers security capabilities but often are siloed systems with no overarching dashboard to bring everything together. In this kind of patchwork environment, it is much more difficult to monitor data security.
- Poor password policies cause cybersecurity havoc. Four of five data breaches stem from issues around passwords. One Google study showed that 13% of end-users reuse the same password on all their accounts and 52% use the same password on multiple accounts (but not all).
- Misconfiguration issues on data architectures that leave systems vulnerable. Each software platform requires specific skills to manage security settings carefully. Many times, we get this wrong.
- Zero-day vulnerabilities are known cybersecurity holes that haven’t been patched. Hackers race to exploit these vulnerabilities, knowing it takes time to fix them. Some of the most famous examples of zero-day attacks include the 2016 hack against the Democratic National Convention and the 2021 Log4j vulnerability affecting cloud service providers.
- Using the right cybersecurity tools to analyze abnormal behaviors to identify malicious activities. NIST recommends developing cybersecurity defenses with the assumption that your systems will experience a breach at some point.
How confident are you that your suppliers have taken the steps necessary to eliminate these and other issues threatening your business? What steps should you take to mitigate these risks?
Steps to Protect Your Supply Chain
Understanding vendor risk is the first step toward mitigating it. Businesses can apply these generally accepted best practices to shore up their IT security:
- Assess the risks by carefully vetting the systems and processes used by your suppliers.
- Suppliers should have ample IT security measures, including end-to-end encryption, firewalls, multi-factor authentication and strong password protocols.
- Set security guidelines for access control, data protection and incident response.
- Apply the rigor of continuously monitoring your supply chain. Continuous monitoring often requires an outsourced cybersecurity expert to establish this necessary rigor.
- Regularly train your staff in cybersecurity best practices. IBM suggests that businesses extend this training to suppliers, encouraging them to adopt wide-reaching security best practices against cyber threats.
- Stay on top of cyber risk management policies to adapt to changes in compliance and evolving threats from internal and external sources. Cybersecurity is never a one-off but an ever-changing set of practices that ward off risk.
While many of these activities focus on the business’s IT network, the steps necessary to protect the supply chain must extend to a rigorous vetting process for each of the suppliers you interact with.
Assessing Risk for Third-Party Suppliers in Your Supply Chain
An outsourced supply chain naturally creates risk. Businesses must set proactive policies to ensure each supplier doesn’t subtly undermine security shields.
This process can include looking at your supplier’s suppliers and conducting due diligence around internal controls for external vendors. For example, if the supplier has decent internal controls but does business with a company with weak internal controls, it may put both companies—and you—at risk.
Assessment questions for vendors include:
- Does the vendor have a business continuity plan?
- How quickly will they notify you in case of a data compromise?
- How does the supplier track and mitigate emerging IT vulnerabilities?
- How do they handle configuration management of IT security controls?
- Are employees trained to avoid social engineering attacks?
- How is data encrypted at storage and during transmission?
- How does the vendor handle security through the product life cycle?
- What regulatory rules does the vendor meet?
- What technologies and policies guard their data?
- How often do they conduct risk management activities such as vulnerability scanning or penetration testing?
- Are there any prior data breaches at the company and if so, what have they done to correct those vulnerabilities?
Define risk tiers for suppliers based on the importance of the product to your business and the vendor’s level of IT security controls. Establishing low, medium and high tiers will help determine the amount of risk and your approach to working with each supplier in your supply chain.
When establishing or evaluating a cybersecurity framework for your supply chain, recognize that IT security isn’t just for IT; these processes encompass people and processes as much as the hardware and software you use.
Sikich offers a cybersecurity overlay for your business that evaluates current supply chain strengths and weaknesses; we’ll help you create a roadmap to mitigate risk. Talk to one of our experts today to strengthen the links in your supply chain.