Among the various challenges inherent in today’s complex supply chains, cybersecurity is one of the most pressing. All the work your IT team does to secure company network and systems means little if a third party has been lax in defending against cybercrime.
A supply chain is a multi-party ecosystem, involving many vendors and suppliers who may have access to your business’s IT infrastructure. These interconnections can help immensely in bringing about increased efficiency and expediting processes. Yet these connections also increase the attack surface, giving cybercriminals more possible entry points into your systems.
In July 2018, for instance, an engineering service provider lacking server restrictions risked exposure of sensitive data from more than 100 of its auto manufacturers and parts company partners. Those companies could have had the fiercest firewalls and cybersecurity protections in place internally, but the vendor put the information at risk.
As the Information Security Institute (InfoSec) puts it, “Cybersecurity of any one organization within the chain is potentially only as strong as that of the weakest member of the supply chain.”
Best Practices for Cybersecurity in the Supply Chain
A supply chain attack is also known as a value-chain or third-party attack. These types of attacks are growing more common as an increasing number of suppliers and service providers share data and information, as well as system or network access. Be proactive protecting against cybercriminals with these six best practices:
1. Inventory Data Access
You can’t protect your data, applications, systems, or network unless you have a clear idea of who has access to these entities. Audit your third-party relationships to determine just how interconnected you are. What data and systems do you share? According to a 2018 Ponemon Institute survey, “Only 35% of companies had a list of all the third parties they were sharing sensitive information with.”
Target, for instance, was blindsided in 2014 when lax security at its HVAC vendor led to a massive breach. Attackers used stolen credentials from the vendor to hack the retailer and steal the data of 70 million customers and 40 million credit cards and debit cards.
2. Ask Cybersecurity Questions
Don’t assume that other organizations are going to handle cybersecurity to your standards. Develop a clear policy internally about what information or access will be shared, how it will be monitored, and what security promises will be demanded. Talk to your partners to find out what they are doing to protect against vulnerabilities. If they can’t answer cybersecurity questions to your satisfaction, you might want to take your business elsewhere.
Considering the cost of downtime and the negative impact a data breach can have on your brand reputation, it may be worth it to shop around for a supplier with high standards for cybersecurity. Gartner research suggests that the average cost of network downtime is $5,600 per minute, or about $300,000 per hour.
3. Monitor Continuously
Cybersecurity isn’t a one-and-done deal. Threats and vulnerabilities evolve. Technology needs to be updated and patched. So, it’s important to establish a process for continuously monitoring data management and network security. This is necessary internally, of course, but it’s also smart to encourage your vendors to conduct and report on regular checks of their own systems too.
According to Ponemon, “56% of organizations have had a breach that was caused by one of their vendors.” The good news, though, according to this study, is that “If a company evaluates the security and privacy policies of all its suppliers, the likelihood of a breach falls from 66% to 46%.”
4. Vet Third-Party Products
Your organization also needs to verify the security controls in place for any products in use in the supply chain. To illustrate this, consider this example: In 2015, Lenovo laptops were shipped with a vulnerability known as man-in-the-middle (MITM) in the software. This meant that any installed security controls wouldn’t do much good, as the vulnerability was already present in the software when shipped.
In another instance of cybercrime, Dragonfly malware attacked the pharmaceutical sector in 2014, replacing legitimate files on a pharmaceutical supplier’s website with malicious software that would take over systems on which the system was installed.
These examples support InfoSec’s argument that organizations must “Be clear about the environment in which their supply chain works, what are all the products in use, and what is the connectivity with the outside world.”
5. Change Default Passwords
Always change default passwords for any technology or tool connected to your network and systems. A wireless modem, for instance, that still uses the manufacturer’s default password is vulnerable to attack, as it the first thing a cybercriminal will try.
“Hackers are smart. They go for the path of least resistance,” Fred Kneip, CEO at CyberGRX told CSO Online. Any cloud-connected device in the new Internet of Things is an open channel for hackers if you don’t take precautions.
6. Train Your Team
Educating your users about password management and other risky behaviors can help your organization avoid cybersecurity issues. An IBM Cyber Security Intelligence Index report found that “95% of all security incidents involve human error, from following links to phishing scams to visiting bad websites, enabling viruses and falling victim to other advanced persistent threats.”
Discuss potential attack and phishing scenarios, and outline best practices that your employees can implement to protect the company, your customer information, and their own sensitive data.
Protecting Your Supply Chain From Cybercrime
The supply chain represents many possible entry points for cybercriminals. Staying vigilant and implementing best practices can make all the difference as you navigate today’s ever-shifting, increasingly interconnected industrial landscape.