Most of the time when people hear about cyber-security and data breaches they immediately think of high-profile attacks that have made national headlines in recent years – those are the ‘big ones’ that make the nightly news. But when we’re looking at supply chain and cyber-security issues, they don’t get much attention from the general public but the risks are very real thanks to all of the interconnected players: from transportation and distribution, to procurement and manufacturing.
With supply chain, all of the players have different networks that need to communicate with each other but they might have different security policies or be using legacy IT equipment and infrastructure, for example, so not everyone’s necessarily on the same page. And with an increased focus on the Industrial Internet of Things (IIoT) for supply chain management, supply chains and manufacturing assets have become a target for malicious hackers who could, for example, access your network through an office printer.
Once inside your network, a hacker can move around laterally until they reach your high-value assets and applications. So, for example, if you’re a chip manufacturer and you’ve been breached, the hostile actor could alter the circuitry and install malware so once a customer connects the device to their network, they can unknowingly let them through the back door to access private company or personal information – either to steal, manipulate, or hold for ransom. Say hello to the cyber supply chain and its inherent threats.
U.S. companies face the greatest risk
The stark reality is that we don’t hear much more than the occasional large-scale, high profile data breach but, according to Juniper Research, by the year 2023 over half of all global data breaches will happen in the U.S. While that number is staggering, what’s even more surprising is how many individuals and organizations think it won’t happen to them and won’t necessarily act until it does. And I’m not singling anyone out here – it’s getting to the point where even educating the next generation of the ‘cyber workforce’ has become an urgent problem.
The point is that cyber-security has almost quietly become the great equalizer and we’ve all been in – or will be in – the crosshairs of a breach. It’s the simple truth and is actually what is called an assume breach mentality where it’s not an ‘if’ but a ‘when’ you’ll get breached. That’s a major, critical shift in overall strategy and approach from years past.
Security can’t rest on its laurels
So where am I going with all of this – well, consider an agency that provides supply support as well as technical and logistical services to the Department of Defense (DoD). Should that agency have its network compromised to where it can’t coordinate the shipping, logistics, and tracking of goods and services to soldiers in the field, for example, it could mean they don’t get the necessary resources they need when they need them – everything from food and medicine to mobile devices and field equipment.
A potential scenario like this is exactly why organizations and institutions have well thought-out strategies for evaluating their vendors and suppliers, which includes everything from documented requirements and process audits to quality audits and attestation. And while these are absolutely necessary steps to take, thinking of supply chain from end-to-end in terms of security standards, integration, policies, and best practices often seems to be stuck in the status quo of years ago – so things like compliance, for example, are no longer an effective cyber-security strategy. Even firewalls are no longer as effective as they used to be thanks to cloud adoption, IoT products, and mobile devices.
Welcome to the flat, connected world of today’s networks
Networks – at your organization, a partner’s organization, or a customer’s organization – have become what we like to call ‘flat’. Think of your network as east-west where applications and data are on a level playing field and are all talking to each other, sharing information, and making everything more efficient because of it.
But as with most things, there’s always a catch – the strength of a flat network is also its primary weakness. Flat networks are hyper-connected so it’s become easier for malicious actors to sneak into your network through something as small and seemingly inconsequential as a printer and move around laterally – sometimes going unnoticed for months and months – until they reach the high-value, critical assets they’re after.
Now imagine you have a flat network but so does your customer, your shipping company, your ERP provider, and so on – this is when it can get pretty tricky because sharing critical/private data externally can be risky if the third party doesn’t have the same caliber of cybersecurity standards, policies, or approach. It is a very real and legitimate concern. Think about:
- The IRS auditing a company and having to share sensitive data and information through different networks
- Working with an off-shore contractor to handle customer service and support where they would need access to private customer information
- Outsourcing HR support to a third party, which would also require sharing private employee info and data
5 steps to assess your own cyber supply chain
The flattening of the IT world has led to the creation of the cyber supply chain, which the National Institute of Standards and Technology (NIST) has recognized – a different type of supply chain that has so many moving parts which all need to be secure. Just like the agency working with the DoD, organizations have nothing but good intentions with regards to security. Yet, at the same time, they are under the same pressures that all companies face such as resource allocation, adhering to regulations, and being compliant.
Despite potential limitations and trade-offs, I wanted to lay out some initial considerations that you, your vendors, partners, and customers can all reference to ensure your cyber supply chain is in good order:
- The first step is an absolute must: prioritize! Gather together all key stakeholders and identify your organization’s high-value assets – you’d be surprised by how many companies out there don’t know what they are or how to prioritize them.
- Evaluate how your cyber supply chain is connected or related to these high-value, “crown jewel” applications – what current security measures are in place and where?
- Identify partners and vendors who have direct – or almost direct – access to your network or data center (i.e. what specific applications) and to what extent.
- Assess the cyber-security policies and strategies of third party teams that handle sensitive data to understand if/how they store, manage, or manipulate it and within which environments.
- Identify potential solutions that are available and consider segmentation technology, which falls in line with an assume breach mentality by compartmentalizing and isolating threats once they’re inside.
Once you have gone through this checklist, determine what is the best way to audit your suppliers and vendors. There are several standards out there with ISO 9000 being the most widely known to define, establish, and maintain an effective quality assurance system.