Supply chain cyberthreats have increased. Three questions to ask your CISO.
Supply chain risk management (SCRM) and security made headline news the past two years. As global business models have become even more dependent on vendors, and digital channels are ramping across every industry, supply chain security is rising as a corporate and business continuity priority. What are the two sides of SCRM? Why are these threats more insidious? And, should you ask your CISO three novel questions?
Two Types of Supply Chain Security
No matter your industry, you rely on a supply chain and/or you’re part of a supply chain. If you create physical products, you’re concerned about the security of the materials you receive as well as what you ship to customers. On the flip side is the cybersecurity of your supply chain. If you create digital products and services, you’re concerned about the security of the software you create or the code you use as part of your software or platform. Lastly, your organization relies on a number of vendors who use and house your data as part of supply chain activities, and your systems may connect with your vendors’ as part of delivery or service to your customers.
One c-suite survey found that 93 percent of executives claim they are prepared to deal with an issue such as ransomware or a cyberattack on their supply chain. Yet, 45 percent of them admit that their security software supply chains are halfway complete or less. And, 64 percent couldn’t identify who they would call first if their supply chain was attacked.
Cyberthreats to Supply Chain Security are Bigger Today
That same survey revealed that supply chain security is a higher priority since the nation-state attack on the SolarWinds network management system affected 18K organizations’ supply chains, including the Pentagon and the Department of Homeland Security (DHS). Just in Q1 2021 alone, supply chain attacks rose 42 percent in the U.S. Couple that with a 10 percent increase in the average cost of a data breach, according to NIST, bringing the average total cost to $4.24M.
60% of supply chain workers are not watching third-party vendors for ongoing risks.
The European Union Agency for Cybersecurity published a report, finding
- 66% of attacks targeted suppliers
- 58% wanted access to data
- 62% exploited the trust of customers
- 62% of attacks used malware
But, cyberthreats come from malware, as well as other IT and system vulnerabilities like piracy; unauthorized ERP access; and backdoor access through purchased, open source, or proprietary software. While some are reducing their number of foreign suppliers, or how much they rely on them, transitioning the supply chain more domestically won’t solve the bigger security issue.
One-to-Many: Scaling the Cybersecurity Breach ROI
Cybercriminal organizations of all types have tapped into a bigger payoff when attacking supply chains. Rather than breach their target directly, they focus attention on lesser-protected organizations downstream. Research from the Identity Theft Resource Center (ITRC) found that 137 organizations had supply chain cyberattacks stemming from just 27 third-party vendors. What’s most telling is that while data compromises were up 12 percent, the number of consumers impacted grew by 564 percent.
The ENISA report also highlighted the complexity, cost, and targeted nature of these months-long campaigns. While a company may believe that their own security is solid and well-monitored, their suppliers offer many more potential vulnerabilities and access points.
66% of organizations attacked through their supply chains weren’t aware or failed to disclose how they were compromised. Fewer than nine percent knew how they were breached.
The Go-to Five Areas to Improve Supply Chain Cybersecurity
These are the standard five areas cybersecurity experts will say organizations should focus on to improve their supply chain security. Think of this as a checklist to ensure your organization is covering the basics. Then, move on to the next section to ask three questions that may change how you view, and prioritize, supply chain security.
- Data protection: Data is at the heart of business transactions and must be secured and controlled at rest and in motion to prevent breach and tampering. Secure data exchange also involves trusting the other source, be it a third party or an e-commerce website. Having assurances that the party you are interacting with is who they say they are is vital.
- Data locality: Critical data exists at all tiers of the supply chain, and must be located, classified and protected no matter where it is. In highly regulated industries such as financial services and healthcare, data must be acquired, stored, managed, used and exchanged in compliance with industry standards and government mandates that vary based on the regions in which they operate.
- Data visibility and governance: Connected systems across the supply chain can enhance efficiency, collaboration, and data analysis for decision-making, but they also require very thoughtful and controlled processes for role- or function-based access and permissions.
- Fraud prevention: Supply chains include a series of sales that can span the globe and many vendors. Each point in the chain presents a vulnerability where data exchanges and financial information can be stolen.
- Third-party risk: We cover this topic more deeply here, but third-party risk is the heart of SCRM. The more dependencies and interconnected data and systems, the greater the number of threat vectors. One product or service may rely on four or more levels of suppliers to deliver finished orders. Transparency, trust, and due diligence is required at every level.
Then there are the classic best practices that are the same if looking at supply chain risk or any other type of cybersecurity risk:
Parting Questions to Ask Your CISO
Beyond the basics, these three questions might solicit new and concerning answers that require a fresh approach to your cybersecurity and thinking about your supply chain.
Where are you in the chain? Consumer, producer or both?
In most cases, organizations are both supply chain consumer and producer, receiving materials, products, or services from vendors, as well as creating products and services for your customers; whether that’s another vendor in the chain or the final consumer. Knowing your position in the chain, and how other organizations before and after you, use your data, software, and systems is critical to finding security gaps and carrying out a risk-based cybersecurity approach. Certainly, you want your contract and procurement language to delineate security scenarios and responsibilities of both parties.
Who is in the path of a ripple caused by your organization? The ripple effect of supply chain breaches.
The one-to-many section, above, highlights the exponential effect that criminals desire. Have you thought about the ripple effect you would cause to your downstream customers and upstream vendors if you were the original source of a supply chain breach? Who would you call? What would be your approach to mitigate damage to yourself as well as those dependent on your data, systems, and deliverables?
Industry experts are seeing a shift in who is the cybercriminal’s target. Although large enterprises have been the typical target of supply chain attacks, medium– and small-sized businesses have been targeted just as frequently.
Who are your competitors? Think differently about cybercriminal organizations.
How much time does your organization focus on market trends and competitive forces? Probably, you spend quite a bit of time and resources here. However, consider thinking of cybercriminal organizations as your competition might be a more effective way to deal with the potential impact of a breach on your business. Supply chain security breaches are competition for your employee’s time and attention, for your dollars paid in ransoms, and to dominate your brand in the news.
SCRM Requires a Holistic, Risk-based Approach
Supply chain security – whether physical or digital products and services – involves a fresh tact to internal and external relationships, vetting, and oversight with companies upstream and downstream. While increasing your cybersecurity maturity helps your customers, you also need to have a hand in ensuring those that you rely upon are keeping your interests secure as well. Our experts bring a new perspective and critical eye to uncover the vulnerabilities, recommend a risk-based prioritization, and follow through to quickly mitigate them.
See how we did this for a healthcare client. Read the case study.