Supply chain security threats are like the flu: Sooner or later, they’re bound to impact you, no matter how hard you try to avoid them.
Indeed, by their very nature, supply chain attacks are more likely to affect large numbers of organizations than most other types of breaches. The majority of cyber threats target individual companies. But a single supply chain attack could impact hundreds or thousands of businesses at once if it compromises software or data within their supply chains.
For proof of just how pervasive supply chain security risks are, you need only look at recent examples. The SolarWinds breach impacted dozens of organizations, including major U.S. federal agencies. The Kaseya breach extended to thousands of businesses spread throughout the world that use Kaseya’s software. Expect more figures like these as the prevalence of supply chain attacks — a threat that one major security research report called “staggeringly high” —continues to grow at rates approaching 400 percent.
That’s the bad news. The good news is that, as explained below, there are effective steps you can take to protect your business from supply chain risks. They won’t completely guarantee immunity from attack, but they’ll go a long way toward mitigating the threat.
Why supply chains are so risky?
The first step in managing supply chain threats is understanding what makes supply chains inherently risky.
The reasons are simple enough: Supply chains typically involve many suppliers, and it’s difficult to maintain visibility into the security state of each of them.
By comparison, it’s relatively easy to secure your own IT assets — meaning those you deploy and manage yourself. But it’s much harder to ensure that your vendors’ and suppliers’ IT environments are secure — especially when you have dozens or hundreds of vendors in your supply chain.
Managing supply chain security: The typical response
The typical playbook for managing supply chain risks includes some basic steps:
- Compliance: Requiring suppliers to adhere to cybersecurity standards like the U.S. government’s NIST framework or the E.U.’s ENISA/ISO can help to reduce the prevalence of threats. But actually enforcing compliance across third-party vendors’ businesses can be difficult.
- Vetting: Businesses often enforce vetting processes for new vendors. That’s good, but it doesn’t guarantee that you’ll avoid risks once a vendor relationship has already been established.
- Cybersecurity teams: Investing in cybersecurity expertise can help harden IT assets against attack. But your own cybersecurity experts can’t do much to protect the assets of your vendors.
These are all useful strategies for managing supply chain risks. But they’re not enough on their own to make your security posture as strong as possible.
Going further to secure the supply chain
Beyond those basic supply chain security steps, businesses should implement additional measures to make their supply chains as safe as possible.
Businesses should implement tight access controls to govern who can access their systems. Access should be defined in a granular way and restricted by the principle of least privilege.
In many countries, regulations ensure that supply chain cyber security is legally required. Companies must comply with a security framework and checklist. Once this checklist is completed the vendor can prove increased controls are in place. While strong access controls won’t prevent risks in your supply chain, they will mitigate the chances that a vendor’s cybersecurity problem becomes your cybersecurity problem.
Given the complexity and scale of modern supply chains, managing their security manually is not feasible in most cases. That’s why it’s wise to invest in tools that are purpose-built to assess and manage supply chain risks automatically, across all vendors’ IT estates.
Maximum visibility and coverage
Along similar lines, businesses should leverage automation technology to maximize their ability to identify and track security risks within their supply chains. This is also a process that you can’t handle manually unless you have a very simple supply chain.
In addition to asking your vendors to be secure, consider providing educational resources that explain exactly how they should secure their assets. These resources could be based on cybersecurity standards that you want to enforce across your supply chain. Your vendor’s transparency should a breach occur could provide valuable feedback to others in that supply chain.
Assess vendor risk
Not all vendors pose the same level of risk. Risks vary depending on which types of data and applications the vendors supply or integrate with, and how important the vendors are to your business.
This means you should contextualize vendor risk and enforce security safeguards accordingly. High-risk vendors may require stronger oversight than those whose assets play a less central role in your operations.
Planning how to respond to a supply chain breach, then practicing the response via cybersecurity drills, goes a long way toward helping ensure a fast and effective resolution when attacks occur. In particular, your response plan and drills should address:
- Business risks: It should be easy to identify which parts of the business are impacted by a breach and what level of risk their disruption poses to the overall business.
- Manual vs. automated processes: Which response processes can be automated, and which will need to be performed manually? You’ll want to answer these questions before the breach occurs.
- Mediation: Which teams or stakeholders will take the lead in managing a supply chain breach? If your organization does not have a CISO in place, then another person from either procurement or the I.T. department could be appointed. Immediate decision-making in a crisis is critical.
- Disclosure: How will you announce a breach to your customers and partners? How much information should you include about the breach? Different types of breaches and vendors may require different disclosures.
Response drills prepare you to remove risky components from your supply chain rapidly with minimal disruption to business operations.
Supply chain assessment
The most secure business is one that continuously assesses its supply chain to identify its weakest links from a security perspective. Again, not all vendors pose the same level of risk, and not all vendors can be assessed in the same way. You must implement an assessment process tailored to your particular supply chain.
As CIO Review explains, “While threats cannot be completely eliminated, supply chain security can contribute to a more secure, efficient flow of goods that can recover quickly from disruptions.”
In other words, the fact that supply chain security is impossible to guarantee completely is not an excuse for ignoring it. It’s absolutely critical to take not only basic steps for defending your supply chain, but also implementing advanced measures — such as practicing responses and automating supply chain visibility as much as possible — that can bring your risks as close as possible to zero.