Just-in-Time inventory processes, global supply networks, and increased demand for goods necessitate reliance by organizations worldwide on the supply chain. That's why recent supply chain disruptions have had a global impact on every sector of the economy, from healthcare to manufacturing to retail to the public sector. Cybersecurity attacks and incidents have been, and continue to be, a significant cause of supply chain disruptions. In fact, hackers are now focusing on supply chain attacks as a favorite weapon. Ransomware attackers are now targeting the supply chain due to its critical function and being flush with money.
Given this reality, CISOs should take the lead on addressing the risk to their organizations from cybersecurity threats related to the supply chain. In this blog, we outline seven key actions that CISOs should take to protect their organizations from supply chain risks.
1. Determine Exposure. CISOs should begin by examining their exposure to supply chain risks. Where does your organization use the supply chain and what are the related cybersecurity risks and concerns? Are cybersecurity policies and procedures in places to address those risks and concerns? Such assessments can be done manually by security staff or by utilizing risk management tools and services.
2. Implement Security Controls. Protections against bad actors, as well as intentional and unintentional insider threats from suppliers, are important and depend on having proper security controls in place. These threats can come from external as well as internal sources. Internal threats can range from employees that commit unintentional mistakes due to lack of knowledge or carelessness, to those who abuse their access privileges for personal financial gain or for other nefarious purposes. Security Controls are of critical importance because they are often the only line of defense against cyber-attacks and they are essential to understanding and measuring the overall effectiveness of an organization’s security program. These controls can take the form of electronic as well as process-driven controls and manual audit points within each process.
The supply chain is particularly susceptible to these risks. NIST has issued the Cybersecurity Supply Chain Risk Management C-SCRM guidance for the supply chain. An excerpt is as follows “C-SCRM involves identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of ICT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction). NIST conducts research, provides resources, and convenes stakeholders to assist organizations in managing these risks.”
3. Map Data. To ensure supply chain security, you must know your organization's data and how it is used and shared. It's essential that all data is identified, located and properly classified. Sensitive data is subject to various regulatory compliance requirements, which needs to be followed by organizations in various industries (e.g., HIPAA for healthcare, GLBA-Banking for financial institutions, SOX for public corporations, and NERC-SIP for electric power entities.) Regulatory compliance requirements are frequently evolving, as well as varying by nation-state and jurisdiction, presenting challenges for CISOs to stay current with regulatory and statutory requirements.
4. Secure Data. Sensitive data needs to be secured while being stored (at rest) and also while it is being transmitted (in motion) between business associates and customers. This can be strengthened by implementing controls such as full disk encryption and encrypting network traffic through the use of SSL/TLS, Virtual Private Networks (VPNs) and other network encryption protections. Validation of each party in the business transaction is vital to the trust relationship that enables business to be conducted successfully and profitably.
5. Secure Technologies. A diverse array of technologies are used in enterprises today (e.g., cloud services, BYOD and IoT devices, and automation), each with vulnerabilities that can be exploited. CISOs should develop a technology map that lays out the portfolio of technologies used and for each technology what are the devices, services and users. Regular reviews should be conducted to ensure secure configuration, software and hardware updates, and backups of data. Reports should be generated recording technology status and known vulnerabilities that are not addressed.
6. Secure Access Points. Organizations work with the supply chain by both sharing data and providing access to their systems and services. Identity Access Management processes should be implemented to ensure that only properly permissioned users can access necessary data is one critical security protection. Another critical security protection is the use of multi-factor authentication. A third protection is the regular review of the access of both privileged vendor and end user accounts.
7. Identify and Monitor Suppliers. Aside from managing your organization's internal cybersecurity, the cybersecurity of your suppliers is critical. Implement cybersecurity standards and policies in place for third party suppliers. Ensure proper vetting of potential suppliers to ensure they meet your security criteria by conducting security assessments. For new suppliers, create an onboarding process that implements identity management and secure access, but also to inform them about your cybersecurity expectations and procedures.
The cybersecurity of third-party suppliers is an ongoing process that must be managed. Consider implementing third-party risk management and assessment programs. Conduct annual reviews to ensure suppliers continue to meet your security standards. Security controls can also be validated though the use of security attestations such as SOC2 and other audit processes. Terminate relationships with suppliers that fail to meet security controls and remedy noncompliance in a timely manner.
In summary, supply chain cybersecurity risk is a growing concern in 2022 and is top of mind for CISOs in every economic sector. The role of the CISO will be critical in providing both insight and guidance into supply chain security. Our goal with this blog is to inform and educate CISOs about supply chain cybersecurity risks and provide steps they can take to manage these risks.
