Why is your supply chain a cyber risk? This can be answered in two words, human error, also known as insider threats to cyber security professionals.Insider are the risk to your supply chain that you haven't thought of. Click To Tweet
Insider threats include anyone who has privileged access in some way to sensitive data and has the capacity to cause a data breach. Typically when insider threats are discussed they include everyone in an organization, that means the executive suite, managers, and employees at all levels.
Often who is left outside of the discussion are the several suppliers whom a company rely to fulfill their daily mission. In other words our increasingly complex and interconnected supply chain. The reliance on digital services and products means more humans who have access to sensitive data and who have the capacity to cause a data breach. While the free flow of data has allowed businesses to increase efficiency over the last few decades it has also increased the threat surface.
Last year when the global ransomware NotPetya/Petya struck it did so by turning a digital service provider, MeDoc, into a vector to spread itself. Victims were impacted when their MeDoc accounting software was updating and an infected file was transferred from the updater into their networks. The rest is recent history as the second wave of a global cyber attack.
Core Supply Chain Risks
In a best practices briefing published by the National Institute of Standards and Technology (NIST) there are a few key risk areas that organizations need to be aware of in order to cover themselves effectively. Let’s explore some of these together.
All Third Parties & Vendors
Every vendor and third-party organization your company interacts with is a security risk.
As mentioned above they all have other people who are outside of your direct scope of policy control. The examples used by NIST are janitorial services and software engineering. You likely interact with many more. Take any department and examine what external services they rely on to get their job done.
Marketing for example may require an automated marketing service, email manager, client relationship manager, among many more services. Each one of these add a new risk to your organization, especially if they have privileged access to your network.
Poor Information Security Practices Among Suppliers
Aside from the human error risk inherent in every organization there is also the issue of some suppliers having terrible information security practices. These are issues found with inadequate security technology, lack of process improvement, lack of security focused policies. Any supplier who has poor security practice adds a significant threat to your organization.
This is how Target suffered a data breach when their AC supplier was breached which allowed cyber criminals to use the supplier’s privileged account to compromise Target’s network.
Compromised Software/Hardware Purchased from Vendors
While this is self explanatory, the MeDoc incident which let to the global ransomware outbreak was an example of this. MeDoc offered a software which had been compromised, any clients who used the software quickly became the victim of NotPetya/Petya. It impacted even companies such as Fedex.
Software Vulnerabilities in Supplier Systems
While this may seem similar to the point above the difference lies between the product sold and the organizations system itself. A company may have a compromised network but their product may be fine, and the reverse is true. Additionally NIST has mentioned the supplier management software used by vendors or yourself may have it’s own vulnerabilities.
Malware Embedded Hardware
NIST has made it a point to address the issue of counterfeit hardware on the market and organizations who may come into contact with them. The hardware has the intention of putting dupes into the market and it is often malicious.
It may get an individual but the jackpot for a cyber criminal is to have an organization acquire and use the malicious hardware. Right now for example an video card prices are inflated due to the bitcoin rush, so organizations may seek out shortcuts. In 2015, it was discovered that malware was able to hide completely on video cards. Right now would a great time for cyber criminals to take advantage of organizations looking for discounted parts.
Third Party Data Aggregators & Storage Solutions
This risk area includes services such as Google Drive and Dropbox, but even more so it includes the rise of recent security services. Since the rise of ransomware there have been third parties offering ransomware protection which are essentially storage services. Any organization that aggregates or stores sensitive data is an additional risk which can compromise your organization.
Best Practices for a Secure Supply Chain
Ensuring there is a security across your supply chain helps to develop brand integrity and accountability to stakeholders. While developing a secure supply chain can seem like a daunting task it does not have to be.
Below you will find a few best practices that have been recommended straight from NIST and employed to a more stringent degree by defense agencies.
Supplier Security Requirements
Often when companies enter into agreements with suppliers there are a number of quality requirements they need to meet such as ISO standards and any compliance minimum standards.
However it is in the process of vetting suppliers that companies can determine who will be able to meet their security needs. The quickest way to do this is the establish a set of cybersecurity and/or physical security requirements. NIST recommends evaluating the following security processes while vetting your suppliers:
- Security Governance
- Manufacturing/Operational Security
- Software Engineering and Architecture
- Asset Management
- Incident Management
- Transportation Security
- Physical and Environmental Security
- Personnel Security
- Information Protection
- Sub-tier partner security (lower tiers, service providers, cloud)
It also helps if you take the time to do an occasional audit to ensure your suppliers are on top of their security. Security requirements should be set and included into every RFP and contract you agree to.
Include the Procurement Officer
If there are cyber security meetings in a company often it may be between the core managers: CIO, CMO, COO, HR, CFO, and of course the CEO. Missing from the conversation is often the Procurement Officer/Contracting whose team is often the liaison between your company and all of your suppliers. Without procurement there to understand the risks to the company security may not translate well when it comes to implementation. Even if you do not have any dedicated to information assurance or insider threats, bringing the the procurement officer can mitigate insider threats from suppliers.
Develop Very Tight Access Controls
Make sure suppliers are restricted to the absolute minimum access necessary to perform necessary tasks on your networks. If they are hardware vendors ensure they have no access to control systems. The number of vendors who require access should be limited, only outsource if you cannot do it yourself. This is of course part of a vendor management program that should be developed in your organization if you do not already have one.
Develop a Security-Based Vendor Management Program
Vendor management programs are a series of security processes that are built for accountability and monitoring between your organization and the vendors you work with. While many organizations have some form of managing their suppliers often the case is that they are not based on maintaining the security and integrity of data. Vendor management programs consist of four distinct phases: definition, specification, controls, and integration.
- Definition Phase:
The first phase involves identifying the mission-critical vendors that work with your organization. You will know which vendors these are vendors because one data breach or relationship issue could have significant impact on your companies continued operations and bottom line.
The second phase is primarily concerned with appointing a security liaison. The liaison could be someone from procurement but they must have knowledge of cybersecurity. The security liaison will act as a go between for your organization and the vendors they’re assigned to. Their responsibilities are to maintain compliance, perform audits, facilitate security communications, provide security training, track all vendor documentation, and general vendor oversight.
- Controls Policy:
Controls are what vendors must follow to engage in any sort of business with you. Your controls should at minimum include: the right to audit security controls, requirement for vendor compliance with monitoring, security performance reporting, and timely notification of any data breach. Some of these controls may be required for regulations such as HIPAA, so make sure your control policy is in line with regulatory compliance that you must meet.
It is important to ensure you already have some form of an insider threat security program at your organization. Supply chain security will need to integrate with existing security policies and auditing procedures. You should not base your security program on the vendor management program alone. This is a job that will require the coordination of the Procurement Officer, COO, and CIO.
Modern data enhanced supply chains are a bigger supply risk than ever before in the past. This is mainly due to the all the various people now involved who have the responsibility of protecting sensitive data. Even if an organization has the best technology available in their organization, it will always be a person who causes the data breach to happen. Make sure you are including your supply chain in your risk assessments.