The supply chains of today’s global economy rely heavily on technology and information systems to deliver finished goods and services to the end user. However, for all the benefits of a hyperconnected economy this introduces, supply chains also carry with them a high degree of risk.
Systems typically have vulnerabilities which, if exploited by cybercriminals, can have a far-reaching impact. Attacks on the supply chain have risen by over 600%, according to a recent study by Interos, and groups of threat actors (like Magecart) are leveraging supply –chain-specific exploits that make headlines with high-profile attacks.
It’s no wonder that securing the digital supply chain has become a high priority for organizations who want to avoid disruption, protect sensitive data, and prevent brand damage.
Securing Your Partners
Enterprises should begin by identifying and understanding the risks brought in by each of their business partners. Security leaders need to assess the security controls in place, the mitigating and compensating controls, and how each vendor monitors their risk posture. This needs to be done for each business partner — there can be no weak link.
Typically, this is done by asking each partner to fill out a questionnaire, which can vary from a couple dozen questions to over one hundred. While potentially tedious, the purpose is to understand the risk of doing business with a particular partner and determining whether or not to accept that risk. Some companies are even issuing a “FICO score for cybersecurity”, which assigns a safety rating to each party.
Securing Your Own Organization
Organizations should also assess their own security culture. Every organization has within their security strategy prevention and detection controls. However, it is vital to continue to improve the culture of security awareness as human error continues to be one of the top drivers of a breach. In fact, 74% of all breaches are due to the human element, according to the 2023 Verizon Data Breach Investigation Report (DBIR).
One of the best ways to combat human error is with education. At this point, there is still much to learn about securing your enterprise from outside risks. Security awareness training for third-party risk management can help you understand the security shortcomings of a potential partner before taking on that risk.
Similarly, in-house security awareness training can help companies make sure they are not the ones putting others at risk. These programs identify and improve areas of security weakness so that employee behaviors don’t become a liability for the company or any of its partners downstream. This may entail adding phishing simulations, implementing new ways of engaging employees, and modifying communication strategies regarding current tactics being used by bad actors.
Companies should also take note of how their security team engages with the business. This will reveal if they are treated as functional partners, or if there are silos causing employees to view cybersecurity issues as an “IT only” problem.
Currently, the top areas of supply chain weakness involve cloud storage, databases, and compromised credentials. Those are areas touched every day by everyday employees, so it is those same employees that need to do the work to interact with those things safely. Improving the overall security culture will greatly reduce the chance of compromise as employees learn the warning signs of danger.
Securing Your Software Development Cycle
The software development process is another area that should be assessed within the context of a secure supply chain.
This is an area which will demonstrate if the security team is perceived as a valuable business partner or an inhibitor. For example, open-source code is popular to use as it can fast-track projects. However, there are no guarantees that open-source libraries have had proper security inspection.
If there is a good relationship, the business will engage the security team early in the process. They see the value in doing application security testing early because it surfaces vulnerabilities that teams can patch. This sets a course for them to then continue the process throughout the development cycle.
However, if security doesn’t get engaged until the end of the cycle, it’s usually a sign that either something is broken within the process or that security practices aren’t adequately valued. By engaging security only at the end, there is the risk of delays due to critical vulnerabilities. These flaws need to be patched, and this can lead to other issues such as delays in delivery and strained relationships between the business and the security team.
Enterprise Security Is Now a Team Sport
Supply chain security isn’t new, and most security leaders are going to struggle with it. Up until a few years ago, it may have even been a manageable affair. However, with the tech boom of the past few decades and the accelerated pace of the digital revolution, it is a problem that is growing bigger every day.
While secure supply chain management is something that will never be perfect, it’s up to each organization to do their due diligence before entering into business partnerships. A company’s fate becomes the same as its least protected partner, so vetting for cybersecurity weaknesses before signing the contract is an understandable and necessary part of doing business today.
That is why it is every organization’s responsibility to assess not only their partners, but themselves. In a digitally connected supply chain, what happens to one can affect everyone else. Companies should hold all partner organizations to high standards of industry security and expect the same of their own teams. After all, they may be part of someone else’s supply chain.
