Supply chain security
In 2020, FireEye, one of SolarWinds’ 300,000 customers, disclosed it had been breached and its red team tools were compromised. SolarWinds later confirmed it was a victim of a supply chain attack conducted by nation-state hackers. According to SolarWinds, 18 000 of its 33 000 customers were left vulnerable. In addition, it affected various U.S. government agencies. The SolarWinds supply chain attack highlights how vulnerable supply chains are to cyberattacks.
What is supply chain security
Supply chain refers to the ecosystem of processes, people, organisations, and distributors involved in the creation and delivery of a final solution or products. In cybersecurity, the supply chain includes hardware and software, cloud or local storage and distribution mechanisms.
Supply chain security is the part of supply chain management that focuses on the risk management of external suppliers, vendors, logistics and transportation. The goal is to identify, analyse and mitigate the risks inherent in working with other organisations as part of a supply chain.
Why is supply chain security important?
Supply chain security should be a high priority for organisations, as a breach or vulnerabilities within the supplier’s system could damage or disrupt operations, lead to unnecessary costs, inefficient delivery schedules and a loss of intellectual property. Additionally, this could result in reputational damage to the organisation as they are unable to deliver on services or operate.
Supply chain security threats
To prevent possible supply chain security incidents, it’s important to understand what causes them. Below are some factors contributing to poor supply chain cybersecurity:
- Lack of visibility over third parties – Organisations may be unaware of what their external supply chain entities do with their critical systems and data.
- Poor data management – Companies may fail to securely use, store, and protect their important data. In addition, sensitive information may be negligently shared and distributed across multiple supply chain members without considering the consequences.
- *Extensive third-party access ***rights ****– Organisations frequently grant third parties access to their systems but rarely ensure proper access limitations. This often leads to privilege misuse, data theft, and other negative outcomes.
Best practices to protect your supply chain
Supply chain security requires a multifaceted and functional coordinated approach. Organisations can protect their supply chains with a combination of layered defenses. Below are a few strategies organisations can utilise to manage and mitigate supply chain security risk
1 .Conduct a supply chain risk assessment
Identify your suppliers and third parties and assess their level of cybersecurity (may be useful to group vendors into different risk profiles, prioritizing each third party by level of vulnerability, impact on your business, and access to your systems and data)
2 . Establish a formal cyber-supply chain risk management (C-SCRM) program
A detailed description of all measures (policies, processes, procedures, tools etc.) applied in regard to your supply chain cybersecurity. This includes categorizing your third parties based on their importance and risk levels
3 . Work with your suppliers on improving security
Consider using service level agreements (SLAs) to communicate and standardise requirements among your third parties and make them accountable for cybersecurity incidents they might cause
4 . Limit suppliers’ access to critical assets
Consider adopting a zero trust approach, which requires not only limiting access to critical assets but also always verifying the identity of every user and device accessing them
5 . Monitor your suppliers’ activity
Consider enabling continuous activity monitoring for your suppliers, vendors, and other supply chain entities accessing your system
6 . Monitor your suppliers’ performance
Monitor service performance and perform routine security audits to verify adherence to cybersecurity requirements in SLA’s; this includes the handling of incidents, vulnerabilities, patches, security requirements, etc…
Supply chain security is a multi-disciplinary problem, and requires close collaboration and execution between the organisation, its customer and suppliers. Supply chain security is everyone’s responsibility.
