In today’s complex and interdependent world, it’s incredibly difficult to deliver a product or service without a supply chain. But this dependency creates additional risks – from reputational losses to major business disruptions. And with 62% of organizations being impacted by supply chain cyberattacks in 2021, mitigating risks created by third parties is extremely important.
What supply chain security issues might your organization experience? What particular threats are there? How can you protect your supply chain from possible attacks? Read this blog post and you will be armed with answers to these questions. You will also learn seven effective supply chain security best practices to improve the protection of your supply chain and your resilience to potential cybersecurity incidents.
Importance of cybersecurity supply chain risk management
Why should you even bother?
In a supply chain, every business relies on other businesses. Just like a human body is made of different organs and systems, a supply chain comprises different companies, activities, people, resources, and information. And if just one part gets compromised, the entire system is at risk.
What is your supply chain?
Basically, a supply chain is all the processes that enable the flow of goods and services between multiple entities to end customers. According to Gartner, a supply chain includes planning, sourcing and procurement, manufacturing, distribution, transportation, and services within a company and its ecosystem of partners.
In your supply chain, key entities include partners, vendors, suppliers, and service providers that have direct or indirect influence on the production and delivery of your end product or service.
It’s important to distinguish between internal supply chain entities and external supply chain entities, or third parties. The latter are usually where most supply chain cybersecurity risks originate, since organizations typically have limited third-party management capabilities.
Note: For the sake of simplicity, we will use the terms partner, vendor, supplier, and third party interchangeably in this article, despite slight nuances in their meanings.
What industries are most vulnerable?
Industries that rely on extensive and complex supply chains – fast-moving consumer goods, IT, manufacturing, healthcare, agriculture, retail – should be especially aware of supply chain risks.
Even if your company doesn’t adhere to any of these industries, it’s still advisable to take proper precautions to minimize cybersecurity risks in the supply chain.
How do organizations handle supply chain risks?
To maintain their resilience, organizations look for ways to efficiently manage risks associated with their supply chains. The National Institute of Standards and Technology (NIST) advises companies to implement supply chain risk management (SCRM): a process of identifying, assessing, and mitigating the risks of supply chain disruptions. SCRM focuses on managing risks, threats, and vulnerabilities throughout the entire supply chain.
An important part of SCRM is developing an efficient risk response strategy. Gartner finds that reducing the surface area of the risk target is effective in reducing supply chain disruptions. This suggests you should limit the number of touchpoints (products, processes, and networks) that risk events have with the supply chain.
What are major supply chain risks?
Organizations usually face the following supply chain risks:
In this article, we discuss in detail the specifics of cybersecurity risks and options for mitigating them. With all business processes and interactions going digital, cybersecurity is key to safe and stable supply chain operations. Failing to realize this can result in a compromise of critical data, business disruptions, and other undesirable consequences.
Cybersecurity in the supply chain must not be regarded solely as an IT issue – even a single security breach entails other risks, including possible financial losses, damage to the brand’s image, and operational disruptions.
Now, let’s dive into the particular cybersecurity threats coming from the supply chain.
Major supply chain security threats
To prevent possible supply chain security incidents, we first need to understand what causes them. Let’s look at the factors contributing to poor supply chain cybersecurity:
1. Lack of visibility over third parties – Organizations may be unaware of what their external supply chain entities do with their critical systems and data.
2. Poor data management – Companies may fail to securely use, store, and protect their important data. In addition, sensitive information may be negligently shared and distributed across multiple supply chain members without considering the consequences.
3. Extensive third-party access rights – Organizations frequently grant third parties access to their systems but rarely ensure proper access limitations. While this approach may seem handy, it often leads to privilege misuse, data theft, and other negative outcomes.
To make your supply chain secure, you need to understand the particular threats it faces.
As all supply chain components are deeply interconnected, cybercriminals may execute a supply chain attack, targeting weaker links in your supply chain and using them as entry points. A well-known example of such an attack is the Solarwinds hack, when cybercriminals gained access to the networks, systems, and data of thousands of organizations by infecting a Solarwinds software update patch with malicious code. The hackers could then grow their attack surface by gaining access to networks of affected organizations.
Your supply chain can also fall victim to inadvertent threats (such as human mistakes) and malicious insider activity.
Let’s take a closer look at each supply chain security threat:
Supply chain attacks
A supply chain attack is often called island hopping. Instead of attacking a company directly, cybercriminals can infiltrate or disrupt a vulnerable supply chain component. A compromised entity can be exploited to escalate the attack further down the supply network.
Supply chain attacks can be performed in a number of ways:
Infected software and hardware. Attackers may infect a piece of software or implement a malicious component in a company’s hardware. Once software or hardware is installed, malware is spread across multiple entities throughout the entire supply chain.
There was a 742% average yearly increase in software supply chain attacks from 2019 through 2022 according to the 8th Annual State of the Supply Chain Report.
Trusted account compromise. This involves hacking an account known by other supply chain partners. Business email compromise is an example of such an attack. If a hacked email is trusted, cybercriminals can use social engineering and phishing techniques to compromise more emails or trick recipients into revealing critical data.
Watering hole attacks. Cybercriminals can target a website visited by a large number of organizations. A compromised website can distribute malware across multiple endpoints within a supply chain or even an entire industry.
Attacks on data storage services. Some organizations hire third-party companies and cloud services to aggregate, store, and process their data. Attackers may undermine the security of these data storage providers in order to gain access to valuable information and commit large-scale fraud. This can be accomplished by cloud jacking, for example.
In some cases, your employees and supply chain members can unintentionally cause data leaks and breaches, supply chain disruptions, and other negative consequences.
Your supply chain may be inadvertently harmed by trusted entities as a result of:
Human mistakes. Your employees, suppliers, and other supply chain entities may make accidental errors that put your cybersecurity and the supply chain at risk. For example, a partner may send your sensitive data to an unintended recipient by mistake. Alternatively, one of your suppliers with access to your systems may accidentally delete a piece of important data.
Poor third-party cybersecurity. Suppliers and vendors may fail to adequately secure their systems or utilize necessary cybersecurity measures on their endpoints. For example, your supply chain members might struggle to implement proper IT security standards or fall victim to an insider attack. As we mentioned earlier, even if one third party is compromised, a domino effect can happen, undermining more and more supply chain links.
Employee negligence. Even the most secure system is not 100% safe if people using it are negligent and security-unaware. A single employee neglecting password recommendations can cause an account compromise. Malicious actors can also easily take advantage of untrained staff and escalate their way through the supply chain.
Malicious insider activity
The entire supply chain, including your organization, may suffer from malicious insiders – employees purposefully seeking to compromise your critical data and systems.
The risk of insider threats is constantly growing. In fact, insider incidents have increased by 44% from 2020 to 2022 according to the 2022 Ponemon Cost of Insider Threats Global Report.
Your internal malicious insiders are not the only danger:
In a supply chain, your third parties might also be a source of insider threats, as they have access to your network and data.
According to Gartner, malicious insiders may cause damage in the following ways:
Data theft. Malicious insiders might steal valuable data like intellectual property or information on your finances, clients, and marketing strategies. Your competitors, for example, can use your employees or supply chain members to perform industrial espionage.
System sabotage. Insiders can damage your organization’s systems by altering important network configurations, installing malware and shadow IT, or deleting critical data. As a result, your business can be disrupted directly or through your supply chain.
Fraud. Malicious actors may use an organization’s IT infrastructure to perform fraudulent activities. To satisfy their personal gain, an insider can exploit corporate data and assets to organize an identity crime. For example, an authorized third party might abuse your client data to issue illegal payments or create inaccurate invoices for personal benefit.
What makes malicious insiders dangerous is that their malicious actions are almost indistinguishable from regular workplace routines. Acting from the position of trust, malicious insiders can carry out harmful activity for a long time without getting caught.
On average, it takes 85 days to detect and contain an insider security incident according to the 2022 Ponemon Cost of Insider Threats Global Report. And 18% of organizations can’t detect an insider threat at all.
Fortunately, there’s a solution.
To efficiently address supply chain security problems, organizations can rely on cybersecurity supply chain risk management, a dedicated type of SCRM.
Top 7 supply chain security best practices
C-SCRM is the process of identifying, assessing, and mitigating the cybersecurity risks that information and operational technologies pose to a supply chain. Integrating information security with supply chain management, C-SCRM can help you enhance business continuity, supply chain visibility, and cybersecurity compliance.
We have compiled a list of best practices in cyber supply chain risk management that you can adopt as part of your C-SCRM to protect your supply chain. To develop your own C-SCRM, you can refer to NIST Special Publication SP 800-161r1 and NIST Key Practices in Cyber SCRM.
1. Conduct a supply chain risk assessment
What risks does your supply chain pose?
Prior to taking any action aimed at enhancing the security of your supply chain, it’s important to assess possible risks. To do so, you need to understand your supply chain and know its key components. Find out who your suppliers are and assess their level of cybersecurity. It may be useful to group vendors into different risk profiles, prioritizing each third party by level of vulnerability, impact on your business, and access to your systems and data. Questionnaires and on-site visits can aid in assessing supply chain security.
Identify the weakest spots in your supply chain. Think about whether you can provide these suppliers with additional cybersecurity support or have them improve their security on their own.
Apart from people and organizations in your supply chain, pay attention to the safety of software and hardware products supplied to you. Identify what processes in the supply chain pose a threat to sensitive data and systems. Think about what needs to be protected and why.
To better visualize risks, you can draw a tree of all interactions between your organization and supply chain elements. This will help you track connections and see the full picture of supply chain risks.
We recommend to assess your supply chain risks on a regular basis. Assess the cybersecurity of your suppliers in accordance with their importance. Based on your risk assessment results, the next step is establishing your C-SCRM program.
2. Establish a formal C-SCRM program
When everyone is responsible, no one is responsible.
A formal C-SCRM program ensures accountability, as it clearly describes roles and responsibilities regarding business and cybersecurity aspects of relationships between your organization and suppliers.
A formal C-SCRM program is a document containing a detailed description of all measures applied in regard to your supply chain cybersecurity. Policies, processes, procedures, and tools specified in a single source will coordinate a coherent movement towards managing your supply chain risks. A C-SCRM program is also a good place to categorize your third parties based on their importance and risk levels. This will help your organization avoid partnerships with unreliable suppliers and vendors.
Define the structure of your C-SCRM based on your organization’s size. The larger an organization, the more extensive its C-SCRM program should be to cover all processes and aspects.
3. Work with your suppliers on improving security
A bundle is stronger than a single stick.
There’s no chance of maintaining a secure supply chain without close collaboration with your suppliers. According to NIST, some businesses organize entire supply chain ecosystems between companies “to increase coordination and simplify the management of complex shared supply chains.”
Maintaining regular communication with your third parties is crucial for mitigating supply chain vulnerabilities. You can organize visits and gatherings dedicated to improving supply chain resilience and security as well as conduct training to raise awareness among third parties.
It’s important to propagate your security needs and standards to your suppliers and find ways to make them uniform throughout your entire supply chain.
To define responsibilities in your collaboration with suppliers, consider using service-level agreements (SLAs). An SLA will help you communicate to and standardize requirements among your third parties and make them accountable for cybersecurity incidents they might cause. An SLA should include all details considering the cybersecurity aspect of your cooperation. Specify the duties of each party, security requirements, metrics for measuring compliance with requirements, fines for violations, etc.
4. Strengthen your data management
Secure your data.
The way valuable business data is collected, processed, and stored is critical when it comes to supply chain security. That’s why you need to have efficient network security in place and protect your business data on multiple layers: from separate applications used by your organization to the overall infrastructure.
Try to enhance your cybersecurity with the use of data protection technologies such as encryption and tokenization. To be able to recover lost data, you might want to perform regular data backups and make use of data loss prevention solutions. To securely exchange data between different supply chain entities, consider using managed file transfer platforms.
Make every effort to secure data management not only within your organization but across all of your suppliers’ infrastructures.
5. Limit suppliers’ access to critical assets
Do not blindly trust your supply chain.
To protect your important data and systems from malicious activity, limit your suppliers’ privileged access to it. You can apply the principle of least privilege, which means limiting employees’ access to your organization’s critical assets to only what is needed to perform regular duties.
You can also consider adopting a zero trust approach, which requires not only limiting access to critical assets but also always verifying the identity of every user and device accessing them. To do this, you may want to employ a universal insider risk management platform like Ekran System.
With Ekran System’s privileged access management (PAM) functionality, you will be able to:
- Granularly manage access to your critical assets. You can see all accounts of your suppliers and employees, manage their access rights, and limit the time these access rights are granted for.
- Securely authenticate and validate users. Ekran System enables you to validate user identities with the help of two-factor authentication and perform secondary authentication to distinguish users of shared accounts.
- Effectively manage passwords. You can automatically generate, encrypt, and manage the credentials of third parties and your employees. You can also provide your suppliers with one-time access by giving them one-time passwords. All passwords and secrets are located in a secure vault.
To further limit the risk of malicious actors accessing your organization, you can implement the network segmentation technique. This entails segregating your network into self-contained subnetworks aimed at protecting your sensitive data or assets even if one subnetwork is compromised.
By the way, Ekran System’s multi-tenant mode allows your segmented networks to operate in a single Ekran System environment, keeping each subnetwork’s Ekran System data separate from that of other subnetworks.
6. Monitor your suppliers’ activity
Watch their actions.
To reduce the risk of a malicious insider attack in your organization, consider enabling continuous activity monitoring for your suppliers, vendors, and other supply chain entities accessing your system.
Monitoring every external user accessing your network will increase the accountability of your third parties and allow for effective investigation in case of an incident. Additionally, third-party activity monitoring is a common IT compliance requirement.
Ekran System’s third-party managing and monitoring functionality allows you to:
- Record user sessions in a comprehensive video format. You can watch every action of your employees and suppliers via a user-friendly YouTube-like player, both in recordings and in real time.
- Search and filter user sessions by multiple parameters. Ekran System’s video records are enhanced with text metadata, enabling you to search by visited websites, launched applications, active window titles, and more. You can also filter user sessions by username and IP address.
- Generate comprehensive reports. You can export monitoring results using a collection of highly customizable reports. You can also export part of or a full user session in a standalone protected format for forensic investigation.
7. Develop an incident response plan
How will you react to a security incident?
Due to the unforeseen nature of supply chain risks, it’s important to build defenses expecting that your systems will be compromised. So even if a third party–related incident happens, you will be fully prepared.
Based on your risk assessment results, create a detailed incident response plan for your security teams. The plan should include procedures, roles, and conditions of responses to a security incident.
Ekran System can help you automate your incident response and save precious time. With Ekran System, you will be able to:
- Detect a threat in a timely manner. With an actionable alert and notification system, your security team will receive an email notification immediately when a suspicious event is detected. Alerts may be triggered by various parameters, such as visited websites, typed keystrokes, or launched applications.
- Detect unusual user behavior. Ekran System’s AI-powered user and entity behavior analytics module analyzes user activity and tracks actions that diverge from baseline behavior.
- Automatically respond to detected threats. You can respond manually or set the system to automatically block a suspicious third party, show them a warning message, or kill an application when a particular alert is triggered.
If a security event happens outside your perimeter, providing assistance to a third party in mitigating the consequences is vital, as supply chain security is your security as well. Likewise, notify your suppliers in a timely manner if your security is breached or third-party data is compromised.
The benefits of supply chains come at the price of risks posed to each supply chain entity, in particular cybersecurity risks. Tight interconnection raises the possibility of a supply chain attack, a malicious third-party attack, or inadvertent destructive activity inside your organization.
To strengthen your supply chain security and be less vulnerable to potential threats, follow our best practices for supply chain cybersecurity. Assess your supply chain risks and create a formal C-SCRM program that will serve as a guide for mitigating third-party risks in IT security. Pay special attention to the ways you can secure your data, and establish proper third-party monitoring and incident response routines. Work with your suppliers on improving your mutual security, and don’t forget to re-assess it on a regular basis.
Consider implementing a third-party vendor security monitoring solution. With Ekran System, you can take your supply chain risk management to a new level thanks to access management, third-party monitoring, reporting, and incident response capabilities.
Request a free 30-day trial of Ekran System
and test its capabilities in your IT infrastructure!