Steph Charbonneau, Senior Director of Product Strategy, HelpSystems, explains why the expansion of business supply chains can result in cyber security vulnerabilities to those involved – and provides advice on how to guard against the threat.
Business ecosystems have expanded over the years owing to the many benefits of diverse, interconnected supply chains, prompting organizations to pursue close, collaborative relationships with their suppliers. However, this has led to increased cyber threats when organisations expose their networks to their supply chain and it only takes one supplier to have cyber security vulnerabilities to bring a business to its knees. To this point, governments around the world have highlighted supply chains as an area for urgent attention in tackling cyber risk in the coming years.
Over the last few years, many organisations have worked hard to improve their cyber defenses and are increasingly “harder targets”. However, for these well-defended organisations, now the greatest weaknesses in their defences are their suppliers, who are typically less well defended but with whom they are highly interconnected.
At the same time, the cyber threat landscape has intensified, and events of the past year have meant that security professionals are not only having to manage security in a remote working set up and ensure employees have good accessibility, they are also having to handle a multitude of issues from a distance whilst defending a much broader attack surface. As a result, points of vulnerability have become even more numerous, providing an attractive space for bad actors to disrupt and extort enterprises. Threats have escalated, including phishing and new variants of known threats, such as ransomware and Denial of Service (DDoS) attacks, as well as increases in supply chain attacks.
But where supply chains are concerned, it is nearly impossible to effectively manage this risk unless you know the state of your suppliers’ defences and continually ensure that they are comparable to your own. Organisations must deeply understand the cyber risks associated with the relationship and try to mitigate those risks to the degree possible.
However, that’s easier said than done. With the sending and receiving of information essential for the supply chain to function, the only option is to better identify and manage the risks presented. This requires organisations to overhaul existing risk monitoring programs, technology investments and also to prioritise cyber and data security governance.
At the very least organisations should ensure that both they and their suppliers have the basic controls in place such as Cyber Essentials, NIST and ISO 27001, coupled with good data management controls. They should thoroughly vet and continuously monitor supply chain partners. They need to understand what data partners will need access to and why, and ultimately what level of risk this poses. Likewise, they need to understand what controls suppliers have in place to safeguard data and protect against incoming and outgoing cyber threats. This needs to be monitored, logged, and regularly reviewed and a baseline of normal activities between the organisation and the supplier should be established.
As well as effective processes, people play a key role in helping to minimise risk. Cyber security training should be given so that employees are aware of the dangers and know how to spot suspicious activity. They should be aware of data regulation requirements and understand what data can be shared with whom. And they should also know exactly what to do in the event of a breach, so a detailed incident response plan should be shared and regularly reviewed.
IT best practices should be applied to minimise these risks. IT used effectively can automatically protect sensitive data so that when employees inevitably make mistakes, technology is there to safeguard the organisation.
So how do organisations transfer information between suppliers securely and how do they ensure that only authorised suppliers receive sensitive data? Here data classification tools are critical to ensure that sensitive data is appropriately treated, stored, and disposed of during its lifetime in accordance with its importance to the organisation. Through appropriate classification, using visual labelling and metadata application to emails and documents, this protects the organisation from the risk of sensitive data being exposed to unauthorised organisations further down the line through the supply chain.
Likewise, data that isn’t properly encrypted in transit can be at risk of compromise, so using a secure and compliant mechanism for transferring data within the supply chain will significantly reduce risks. Managed File Transfer (MFT) software facilitates the automated sharing of data with suppliers. This secure channel provides a central platform for information exchanges and offers audit trails, user access controls, and other file transfer protections.
Organisations should also layer security defences to neutralise any threats coming from a supplier. Due to its ubiquity, email is a particularly vulnerable channel and one that’s often exploited by cyber criminals posing as a trusted partner. Therefore, it is essential that organisations are adequately protected from incoming malware, embedded Advanced Persistent Threats, or any other threat that could pose a risk to the business.
And finally, organisations need to ensure that documents uploaded and downloaded from the web are thoroughly analysed, even if they are coming from a trusted source. To do this effectively, they need a solution that can remove risks from email, web and endpoints, yet still allows the transfer of information to occur. Adaptive DLP allows the flow of information to continue while removing threats, protecting critical data, and ensuring compliance. It doesn’t become a barrier to business or impose a heavy management burden. This is important because traditional DLP ‘stop and block’ approaches have often resulted in too many delays to legitimate business communications and high management overheads associated with false positives.
Many of the recent well publicised attacks have been nation state orchestrated. Going forward this is going to turn into criminal syndicate attacks. Cyber criminals already have the ransomware capabilities and now all they need to do is tie this up with targeting the supply chain. Therefore, making sure you have the right technologies, policies and training programmes in place should be a top priority for organisations in 2021.
Read HelpSystems eguide about the subject: “Managing Cybersecurity Risk in the Supply Chain”
Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.
Sign up now!
