Did you know that roughly 80% of cyber attacks originate from an organization’s supply chain? It gets worse from there as most of these cyber attacks involve compromised credentials or malicious insider attacks. High-tech manufacturers, like every organization, need to push security higher up on their to-do list.
Some of the most high profile cyber attacks that were the result of poor supply chain security includes Target, Home Depot, and even the U.S. Office of Personnel Management. Those are the most highlighted cases, other attacks have also included Wendy’s and many other fast food providers. No organization is immune.
Such attacks could’ve been prevented. Although some businesses feel that supply chain security falls outside of their scope of responsibility, this is simply not true. As the digitization of data has occurred across supply chains, security requirements must also change. Security has moved away from solely perimeter security to fully-integrated network security. Insider threats are the most significant concern in securing data. Simply having a firewall will not do anymore.
As we approach 2018, below are six best practices – recommended from resources that include the National Counterintelligence and Security Center (NCSC), the Department of Homeland Security, and various private sector firms – that should be top of mind to help you create plans and processes to keep sensitive data safe in your supply chain.
Review your internal security
Before engaging suppliers there needs to be assurance that good information security policy are in practice in your organization. This means reviewing your access policies, your data classification, your risk areas, and ensuring you have a strong insider threat program established. While it's almost common knowledge to establish perimeter measures of security such as a firewall, many companies fail to review their own internal threats. Why the focus on insiders? Because vendors often have access to sensitive areas of information in your organization, if a vendor’s credentials are compromised then your data is compromised too. For more on insider threat risk mitigation you can visit CERT to learn what practices you can apply to your organization. Your own internal security is the only area of security in your supply chain that you have direct control over, so make sure data is as secure as possible when in your hands.
Reserve a seat for your procurement officer
When organizations discuss cyber security one of the things that tends to happen is that security meetings only have security officers present. If you have an officer for physical security, the CEO, Information Assurance, and even an officer in charge of insider threats present at the meetings without a Procurement Officer present then you create a risk. If the procurement officer is not sharing their supply chain updates or they are not receiving guidance on how security should be implemented in the supply chain then you have inherent risks of a data breach present.
Establish a vendor management program
After you’ve reviewed your processes and communications the next step is to ensure you have a vendor management program established. Vendor management programs are a series of security processes that are built for accountability and monitoring between your organization and the vendors you use. They consist of four distinct phases:
- Definition: The definition phase involves identification of the most mission-critical vendors to your organization. These are vendors whom a breach or relationship issue could have significant impact on operations and revenues.
- Specification: This phase involves naming a security liaison. This person acts as a go-between for your organization and the vendors they’re assigned to. The responsibilities of this liaison are to maintain compliance knowledge, perform audits, facilitate security communications, provide training, track contracts and all documentation, and general oversight.
- Controls policy: Controls are what vendors must follow to engage in any sort of business with you. These should at minimum include: the right to audit security controls, requirement for vendor compliance with monitoring, security performance reporting, and timely notification of any data breach.
- Integration : Supply chain data security needs to integrate with your organization’s existing information security practices and auditing procedures. Make sure it’s not a program that is happening on the side.
Focus on user behavior analytics (UBA)
One cyber security practice that provides the strongest return on investment is user behavior analytics (UBA). Essentially UBA establishes a baseline profile of behavior for both individual users and your entire network. Once a baseline has been established deviations of behavior are tracked and administrators are notified. Risk profiles can also be established for users or departments. If a vendor has compromised credentials, they will no doubt have different behavior while on your network. With this technology, you will be informed immediately. If your vendor’s security fails, then your security processes will be able to identify a breach.
Vet your vendors
Remember including procurement at the table? This is one of the main benefits. They need to ask the right questions before maintaining relationships with vendors or establishing relationships with new ones. Very specific security questions should be asked to gain an understanding of their supply chain as it pertains to your business. Ask vendors for details about their security management program. Be sure to understand exactly how they will keep your data secure. Once procurement has this information, it needs to be reported to the security management team in your company to ensure there is synchronization and understanding.
Create an incident response plan
In the event that there is a data breach as a result of a vendor you don’t want your organization’s operations to stop. It’s best to establish an incident response plan that integrates your supply chain cyber risks into it. If there is a breach then what procedures should immediately start to mitigate damage? Afterwards what will be the response towards the vendor where the breach originated from? Your plan shouldn’t be a template but a very contextualized plan that you’re capable of executing if a breach ever does happen.
Supply chain security should be a priority in any organization now. Cyber security is at once a collective, organizational, and personal responsibility. It needs to be integrated in everything that we do, including our supply chains.