Supply Chain Risk Management is a complex problem that even highly sophisticated organisations—like the Department of Defense—struggle to address.
But while finding a silver bullet solution to eliminate your organisation’s supply chain vulnerabilities may be out of the question, managing those cyber risks is still possible.
Managing cyber risks to your supply chain
Before we get to some solutions, it’s important to understand what cyber risk means to supply chain risk management.
Organisations have been managing risk to their supply chains for decades. Traditionally, this meant finding ways to limit the impact of extreme weather, fires, earthquakes, labour strikes, or other unforeseen hazards associated with running global business operations.
In recent years, the traditional concept of supply chain risk management has expanded to include cybersecurity and cyber risk. The need to incorporate cyber into supply chain risk management is clear: cyber incidents can affect the products or services upon which organisations rely, causing direct business harm.
Managing cyber risk to your supply chain is the process of identifying and mitigating cyber risks affecting the hardware, software, or services that you purchase, acquire, or use from third parties, in order to reduce the cyber risk of your own organisation.
For instance, a cyber incident affecting an important manufacturing facility could result in machines being operationally disabled or the theft of sensitive intellectual property. A cyber incident affecting a critical software or hardware vendor could introduce new vulnerability into your organisation.
Hardware & Software
Any company that sells a product using hardware or software knows how important it is to test products before they hit the market. But, that’s not always easy or possible. Most organisations outsource the creation of components for hardware and software, so they aren’t able to oversee the production process personally. So how do you gain confidence in your vendors’ development processes and have complete assurance that they’ve created the parts you need with good intentions in a secure facility? You don’t.
For example, let’s say I’m the president of a cell phone company. It’s less expensive for me to get my hardware—chips, wires, circuits, and other components—from a company overseas. As such, I do not oversee the production process of the hardware for my phones.
They are all sent to my production facility, where they are assembled. Again, I don’t oversee that process. The phones I create are smartphones, so once they’re on the market, I let third parties create applications and sell them to other phone users.
Since I don’t have a hand in creating these applications, how do I (and those who have purchased my phones) know that the developer hasn’t rigged the application to steal personal data and information from the phone’s owner?
All of these issues are called supply chain vulnerabilities, which are managed through supply chain risk management.
Aside from hardware and software, supply chain vulnerabilities also need to be managed for “overall services.” These services typically refer to companies that are working under contract for your organisation, and have access to (or are interacting with) sensitive data. These companies are considered critical because they have a deep level of access into your organisation’s networks, so they may pose a security threat.
For example, if I owned a large financial institution, I might have 15,000 vendors, but only 5,000 who were considered critical. I would take more caution with these critical vendors. Specifically, I would send out questionnaires, perform penetration tests, and use continuous monitoring tools to monitor real-time security incidents. I’d want to do everything I could to ensure my data was secured appropriately so my network wasn’t breached.
4 ways to enhance the cybersecurity of your supply chain
1. Assess the cyber risk posed by vendors in your supply chain.
Not every component of your supply chain poses the same level of risk. Vendors who have access to sensitive data or the corporate network should be treated differently from others. Determining which vendors are critical to your business is an important step in managing cyber risk.
While eliminating cyber risks from critical vendors’ vulnerabilities is impossible, you can implement methods to manage risk. Developing a vendor risk management (VRM) program is a step in the right direction. VRM programs typically utilise:
• Surveys: Surveys can help you get a better look into your vendors’ manufacturing systems. You can ask them questions that may lead you to better understand whether your product has been built securely, and find out more about their process of identifying and mitigating common vulnerabilities.
• Penetration tests and on-site visits: These measures offer better insight into the security of your vendor, but only for that moment in time.
2. Review your contracts to ensure your vendors have security obligations to you.
If you are in the beginning phases of finding and contracting out to vendors, make sure your contracts are written to include the cybersecurity obligations that are necessary for you and your organisation.
If you’re beginning your supply chain risk management program after you’ve onboarded the majority of your vendors, this step is particularly crucial. Gather the contracts of each vendor client, sit down with your legal team, and be sure that each vendor has a legal obligation to report any security breaches that are outside of industry compliance laws. For example, if your vendor is breached and millions of card numbers are stolen from you through your vendor, they have a federally charged legal obligation to report it. But, if your vendor is breached and one of your trade secrets is stolen, they technically aren’t obligated to share that information with you. That’s why including language about security obligations in your vendor contracts is crucial.
3. Monitor the security of your strategic vendors.
Identifying which vendors have access to your organisation’s network or sensitive data is absolutely critical. The best cautionary tale that deals with this issue—particularly as it pertains to vendors who perform general services—comes from the 2013 Target breach.
Target wanted to hire a company to check the cooling of their refrigerators nationwide. With more than 1,500 stores, Target wasn’t interested in having someone come out and physically inspect the machines; rather, they wanted it done digitally. They hired Fazio Mechanical Services, an HVAC company headquartered in Pennsylvania, and gave them broad access to their network so they could monitor the refrigeration units. Though they were simply monitoring refrigeration units, Fazio’s significant level of access made them a “strategic” vendor to Target, which made Fazio a “target” themselves. Attackers breached Fazio’s network, and then used it to break into the Target network. More than 100 million Target card and credit card numbers were stolen because of this breach.
This is a perfect example of the catastrophic impact that can result from an insecure supplier. By limiting network and data access and monitoring the security of critical vendors, an organisation can reduce the likelihood that a Target-like incident will occur in their supply chain.
4. Review your software and hardware vendors.
Every organisation is dependent on software and hardware vendors, and it is not easy to assess the risk posed by these vendors. Solutions for managing cyber risks from the supply chain range, depending on the size and scale of your organisation.
If you want to better understand whether your hardware or software vendors pose a security threat, these innovative tools may be helpful:
• Veracode is a cloud-based technology that helps test the security of applications developed by third parties.
• Safecode is a nonprofit organisation that offers best practices for enhancing the security of software development processes. You can check to see whether the software developer you are purchasing from is a member of the Safecode alliance.
• OTTF (Open Group Trusted Technology Forum) is in the process of creating an international standard for secure software development and supply chain risk management, with the goal of having auditable standards in the years ahead.
You should also be sure that you repeat these steps any time you onboard a new vendor, which many organisations do regularly. In order to ensure that your vendor risk management program is secure, you’ll need to constantly be repeating steps 1-4.
If you want to reduce the amount of time you spend repeating this process, we suggest putting a continuous security performance monitoring solution in place. This way, you’re able to make data-driven decisions about your cyber security supply chain vulnerabilities. We’re confident that if you follow this process, your supply chain risk management program will benefit exponentially.
About the author: Tom was most recently VP of Marketing and Channels for IBM Security Systems. He is an experienced leader in the security industry, and has previously lead market strategy, product management, channel execution and business development at Q1 Labs, Cisco/OKENA and Pentasafe/BrainTree Security Software.