Businesses rely on third-party shippers, outsourced customer support agents, and other independent contractors. The involvement of such third-party vendors has increased over the last couple of years. The fragmented business ecosystem makes such independent vendors integral to the ecosystem. But such supply chain partners also pose huge cyber risks for the business. Compromising the partner’s software offers cybercriminals access to all enterprises using the software. This tech blog discusses the ways to ward off such supply chain cyber security risks.
An average enterprise shares data with 730 vendors. Businesses providing network access to partners become vulnerable to malware targeting such suppliers. 53% of enterprises that share data with third parties have experienced at least one data breach. About 44% of enterprises suffered a breach within the previous 12 months. The breach occurred in three out of four companies because of privileged access to third parties.
The leading causes of cyber breaches from supply chain partner sources include:
- Cybercriminals hack the partner’s email and send malicious emails from a trusted source. Such malicious links lead to ransomware or other malware.
- Security breaches at partner servers expose sensitive data. Cybercriminals may, for instance, steal login credentials to access the company network. They log in as authorized users to circumvent security controls and wreck damage.
- Spyware and data loggers at the partner’s end steal unencrypted data from the company.
- Supplier frauds. Cybercriminals use deepfake technologies or AI-generated voicemails to impersonate known supply chain partners. They may make requests such as changes to payment processes.
A good supply chain risk management strategy identifies, prioritizes, and mitigates threats.
1. Ensure minimum security baseline with MVSP
Most businesses lay down security baselines for vendors. But such baselines often have many holes. And in any case, lack of standardization renders the protocols non-implementable. Vendors, who usually supply multiple businesses, must follow numerous requirements. When they slip up, errors increase, and the ever-preying cyber criminals use the vulnerability to attack.
One solution is Minimum Viable Secure Product (MVSP), a vendor-neutral checklist. MVSP is the brainchild of Google in collaboration with Slack, Salesforce, and Okta.
MVSP offers a simple minimum acceptable security baseline for vendors and third-party contractors. It addresses authorization, password policies, vulnerability reporting, backups, and patching recommendations.
Engaging the MVSP helps vendors run a tighter ship, reducing the chances of breaches. It also decreases security overheads.
2. Establish compliance standards
Establish compliance standards for suppliers, distributors, and other third-party vendors with network access.
Industry-level standards already exist in the finance and healthcare sector. The best example is the Payment Card Industry Data Security Standard (PCI-DSS). Other general frameworks include Capability Maturity Model (CMM), ISO 9001, and SOC 2.
- Clearly understand the regulations and standards the company and vendors must meet.
- Make trade-offs between standards and business realities. Several frameworks, especially Common Criteria, and FiPS-140 accreditation are costly. Adopting such standards could turn counterproductive and drive critical, cost-effective suppliers away.
- Review service level agreements (SLAs) for each third party to ensure compliance mandates.
3. Innovate a risk management framework
The minimum baselines and compliance standards offer the foundation for supply chain security. But each enterprise still needs a robust strategy for its supply chain and other partners. A one-size-fits-all approach doesn’t work, as each enterprise has unique supply chain challenges. The onus is on the enterprise to indulge in security innovation.
- Create or revise vendor risk management policy. Draft detailed descriptions of the procedures and processes for each step in the supply chain. Brainstorm to identify the potential risks.
- Create a risk management plan that covers solutions to specific and broader network-level risks. Prioritize the type and nature of risks based on the propensity to affect the business.
- Document data ownership and data stewardship standards. Make explicit who owns specific data and what they can do with it.
- Focus on trust over legal requirements for reporting. When trust develops between supply chain partners, they disclose breaches more than what they are bound to. Ways to improve trust include timely payments, seamless communications, and transparency.
- Work with supply chain vendors to develop a unified disaster recovery plan.
Consider the example of Levi Strauss. The company demands its software vendors show auditable proof of a security framework. The company does not dictate any specific framework. Instead, they seek commitment to documenting the security controls and practices.
4. Monitor and control the network
Cyber attackers attack at will. Enterprises need robust, real-time network monitoring tools to ensure foolproof security.
- Deploy network monitoring tools. Advanced network monitoring tools identify anomalies and issue real-time alerts. Connected incident response tools take quick remedial measures.
- Set up advanced cybersecurity measures such as DNS filtering and network access controls.
- Run proactive checks of all systems for loopholes.
- Enforce multi factor authentication. Passports have become ineffective in securing customer data for a few years now. The 2020 Verizon Data Breach Investigations Report attributes stolen and weak credentials to 37% of all credential theft breaches.
- Restrict access on the principle of least privilege. This approach prevents software from communicating with malicious command and control servers.
- Review privileges. Revoke privileges immediately when the relationship with the company ends.
5. Conduct periodic risk assessments
Conduct periodic supply chain risk analysis to determine the nature and extent of risks along the supply chain. Classify contractors by risk and access level.
- Establish metrics to measure risk. Such metrics may be qualitative or quantitative, depending on business needs.
- Assign each risk a risk level and categorize supply chain risks by type. Generally, deal with the highest-level threats first, and work down the list according to risk priority. For each risk, decide whether to accept, reject, transfer or mitigate the risk. For supply chain risk, sometimes the best plan might be to find another, less risky vendor.
- Query third-party contractors and vendors with risk management questionnaires.
- Review documentation of third-party vendors as an alternative to questionnaires.
- Audit third parties with high levels of risk. Make such audits mandatory through service-level agreements.
6. Consider the human element.
The integrity of the supply chain depends on the people handling it. A good supply chain cyber security plan is complete with due consideration of the human element.
- Assemble a committed cross-functional team. Empower the team to identify, analyze, prioritize, and mitigate supply chain risks. These teams may include members from IT, operations, and other functional departments.
- Provide comprehensive security awareness training for all employees. Extend the facility to connected vendors and other ecosystem partners. Network integrity depends on the workforce, including independent contractors and vendors, remaining alert.
Enterprises that manage their supply chain well keep cybercriminals at bay. But supply chain security is not an IT problem only. Effective solutions depend on a proactive, coordinated effort involving all stakeholders. Smart companies devise a holistic strategy by understanding what their customers expect.
Here are the top seven cyber security predictions for 2023.