Many large enterprises have implemented robust in-house cybersecurity programs. They have a well-designed security stack, round-the-clock threat detection and response capabilities, and a strong employee cybersecurity awareness program.
However, very few organizations are vertically integrated to the point of being self-sufficient. They all rely upon third
parties to provide critical components, store their data, or provide other valuable products and services.
The Threats of Poor Supply Chain Security
Most companies have a number of different third-party suppliers and partners. If these organizations are exploited by a cybercriminal, then the attacker can leverage their trusted relationship in a number of different ways:
● Embedded Malicious Code: Cybercriminals can exploit an organization’s dependence on third-party libraries in their code or third-party applications to infect an organization with malware. The NotPetya wiper – which caused billions of dollars in damages – was originally spread as a malicious software update provided by a trusted tax and accounting software provider.
● Exploiting Vendor Relationships: Many organizations grant third-party providers access to their internal networks. The 2013 Target breach, which exploited the retailer’s HVAC provider’s access to the network, demonstrated the danger of this practice.
● Sabotaging or Denying Critical Supplies: Access to raw materials, critical components, or other resources is essential to manufacturing organizations. What COVID-19 did to supplies like toilet paper and medical supplies, a cybercriminal could do to components critical to an organization’s operations.
● Loss of Data or Intellectual Property: For many companies, their intellectual property and trade secrets constitute their competitive advantage. If this data can be stolen from trusted vendors, it could destroy an organization’s ability to compete in the marketplace.
These represent only some of the potential threats that an attacker poses to an organization’s operations. Companies must secure their supply chains as a critical part of their cybersecurity strategy.
Securely Managing Your Supply Chain
Managing supply chain risk is a complex process, and, in most cases, it is impossible to completely eliminate or manage the cybersecurity risk inherited from an organization’s suppliers, contractors, and other third-party partners. However, an organization can take steps to decrease the risk posed by its supply chain:
● Identify Supplier Criticality: For most organizations, vetting the security of all of their suppliers is infeasible. The companies within an organization’s supply chain should be classified and prioritized based upon their importance to an organization’s operations.
● Consider Regulatory Responsibilities: Certain suppliers may have an impact on an organization’s regulatory compliance, such as those with access to critical data or providing quality-controlled components. These suppliers should be vetted as part of an organization’s compliance strategy.
● Manage Supplier Access: An organization’s supply chain can threaten its security in a number of different ways; however, the most common threats are often caused by excessive access (elevated network privileges, unnecessary access to data, etc.). Manage supply chain risk by limiting access based upon the principle of least privilege and periodically perform reviews to update permissions as needed.
● Design for Business Continuity and Resiliency: Many business processes are optimized, meaning that a company may be fully dependent on one or a few suppliers for critical components. Business continuity and resiliency requires diversifying or putting strategies in place to limit the impact if a supplier goes out of business or is otherwise unable to meet the organization’s needs.
How MorganFranklin Consulting Can Help
Supply chain security is a complex problem to solve. Most organizations have many different suppliers, and supply chain relationships go through their subcontractors to “fourth parties” and beyond.
MorganFranklin can help with every stage of the supply chain management process from identifying “critical” vendors that need security vetting to putting tools and processes in place to more efficiently manage an organization’s supply chain risk in the future. While a number of third-party risk management tools are available, they are of limited value without the expertise required to configure them correctly, interpret the results, and develop action plans based on the available data.