As every industry imaginable gets digitally transformed, they can also become highly vulnerable to cybersecurity threats. Whether its healthcare, logistics, or retail, the industry’s supply chain or what’s also known as value-chain (or third-party) the threat level isn’t really any different.
Next month will mark the first anniversary of the infamous WannaCry ransomware attack, but we’re all still (more or less) vulnerable. According to Symantec's annual Internet Security Threat Report, there was a 200% increase in “publicly reported” supply chain attacks in 2017 (and this suggests that the actual number might be higher).
What is a supply chain attack?
A supply chain attack can occur when a bad actor infiltrates the system through a third-party provider or partner to access your systems and data (kind of like what Cambridge Analytica did with your Facebook data).
This is a departure from the traditional cybersecurity threats that enterprise IT departments had to contend with for over two decades. With the rise of the Internet of Things (IoT) and the very real possibility of smart cities, a breach can have dire consequences.
For highly regulated industries like healthcare, in particular, the risks are higher than ever. Furthermore, as Crime as a Service grows in popularity, the threat level is rising at an exponential rate (even as you read this post).
To put all this into perspective, think about how it used to be. For years, we only worried about the hardware supply chain, now we also have to worry about firmware and software updates that are automatically initiated through an app store.
So what should enterprises do to enhance cybersecurity across the supply chain? Let’s take a look at the top ways to secure the supply chain.
1. Extreme Vetting of Third-Party Vendors
Patching software and firmware with the latest releases is vital to keeping things secure. In fact, it’s really something that can’t be avoided.
But what about your partners? Are they taking security as seriously as your organization?
Last year’s Petya/NotPetya attack showed how easy it was for bad actors to hijack software updates to compromise otherwise well-protected targets. So it’s now critical for companies to engage in the extreme vetting of their third-party providers and partners (both software and firmware) to ensure security.
A study conducted by the Ponemon Institute found that 56% of companies experienced a breach that was caused by a third-party vendor. At the same time, only 35% of the businesses surveyed had a list of who they were sharing sensitive information with and only 18% knew if the third-parties were, in turn, sharing that data with other suppliers.
At this juncture, it’s also important to note that the source code can also be compromised during the manufacturing process. So you have to figure out if the code was modified and if a backdoor was installed long before the device enters your property.
At a minimum, C-TPAT security criteria is a good guideline to follow to ensure that all your partners are on the same page (as you are).
2. Real-Time Behavior Monitoring
Just vetting your third-party vendors alone won’t be enough to secure the supply chain. You will also have to monitor your systems in real-time to see if there’s any suspicious activity after an update.
Whether it’s a minor update to IoT firmware or a major systems upgrade, monitoring your IT ecosystem in real-time will be key to maintaining security.
3. Mandatory Authentication of Personal Devices
Bring-your-own-device (BYOD) programs are quite common these days and employers are embracing it because of added benefits like enhanced productivity.
However, if you’re going to embrace this phenomenon, it’ll be critical to include mandatory authentication using network access control before allowing anyone to access the network. Personal devices may not have the same security protocols, so it should be managed accordingly.
4. Address Complicated Issues Associated with Data in Vendor and Employee Termination Protocols
IT and HR departments can sometimes forget to address the complicated processes associated with data access when terminating contracts with both employees and third-party vendors. In fact, it can also be very easy for IT departments to forget to terminate employee access to enterprise systems once their contract has ended.
If you want to secure your supply chain, you can’t just ignore what can potentially occur once a contract has been terminated. For example, last year, Domino’s Australia had a problem with a former supplier leaking personal customer details to spam email lists.
Although the company’s internal systems weren’t compromised, a former vendor was blamed for leaking personal customer details like names, email addresses, and store suburbs. Although no financial information was leaked, the damage to their brand reputation was unavoidable.
As ensuring cybersecurity across the supply chain will be an ongoing process, organizations should also regularly engage in the following:
- Cybersecurity training and software management
- Data encryption
- Develop and establish standards for data sharing with third-parties
- Documentation control
- Personnel security protocols
- Risk coverage and equipment acquisition standards
The threat from bad actors from the four corners of the earth isn’t going to go away, so taking steps like engaging in extreme vetting and vendor audits will quickly become the norm.
To stay one step ahead, it’ll also be a good idea to regularly reevaluate all components of your cybersecurity plan. This approach can not only alleviate risk but also optimize supply chain performance.
While cybersecurity attacks may have once targeted major players like Basecamp and GitHub, it has now evolved to include just about anyone. So we must all take steps to actively keep the supply chain secure.