Secure your supply chain
A company's defenses are only as strong as those connected to it
By John DeSimone, vice president, cybersecurity and special missions at Raytheon's Intelligence, Information and Services business.
No modern global organization could function without the complex network of firms on which it depends for vital products and services. But as the supply chain becomes more complex in scope, it is increasingly at risk from disruptions, including malicious cyber incidents. Working with suppliers and vendors means sharing valuable and sensitive information about your company, and when that information is shared, security becomes everything.
A number of high-profile cyber breaches originate with suppliers. The 2014 Target breach− at the time the largest known cyber attack on a retailer− was caused by a security flaw introduced by an HVAC vendor. After Equifax revealed in 2017 that a massive cyber breach had exposed the personal data on 130 million people, the company blamed a supplier for failing to update a security patch. Then there is Petya/NotPetya, the global ransomware attack on a Ukrainian accounting software supplier that spread to its customer base. The attack crippled multinational companies, like global shipping company Maersk, who stated that the outage cost them over $300 million. To date, it is considered one of the world’s most catastrophic cyber incidents.
As with most things in the cyber domain, there is no one-size-fits-all solution to securing the supply chain. Threats come in abundance every minute in the cyber world, and the most dangerous can be where we are not even looking, like the officer printer supplier who forgets to change the default password.
One reason these third-party attacks succeed is that many companies fail to do their due diligence on contractors, suppliers and vendors. It's important to make sure your company’s supply chain is playing by your security rules, not theirs.
The Department of Defense is an example of a major purchasing organization setting rules for its supply chain. In 2015, the National Institute of Standards and Technology responded to the already dramatic growth in cybercrime by creating guidelines for how government contractors should handle sensitive information. From these guidelines came strict compliance mandates for all organizations doing business with the DoD, known as the Defense Federal Acquisition Regulation Supplement Cybersecurity Clause.
While this compliance standard is DoD-specific, it provides a good baseline for any organization that is looking to secure its supply chain. In today’s interconnected world, a company's cyber defenses are only as strong as the defenses of everyone connected to it. This notion requires businesses to reflect and adapt their models for developing products, assessing suppliers, detecting threats and recovering from any damage.
Working with your supply chain on cybersecurity can seem daunting, but here are things your organization can do to get started:
- Security Assessments: This should be your starting point. This will help you identify and prioritize areas of concern within your organization and those of your suppliers. From this assessment you can develop actionable recommendations for enhancing security across your supplier base.
- Education and Training: Your employees are the people who will be interacting directly with your supply chain. But if your workforce is not aware of the cybersecurity threat, it’s less likely they’ll be practicing good cyber security. Implementing employee training and establishing a cultural emphasis on strong "cyber hygiene" are the first steps you and your supplier base should take.
- Incident Response and Reporting: Once you have assessed your supplier base and worked with them to adjust their security controls, the next step is to establish an incident response and reporting plan. In this security climate, businesses can’t expect to be breach-free. So should an incident occur with one of your suppliers, they need to have full understanding of how to handle and report the incident.
- Investing: Some suppliers will not have the staff or the financial means to meet the security standards your organization is being held to. Investing in these suppliers and helping them achieve the level of security needed to meet compliance standards is an investment in your own company’s security.
As major businesses tighten their cybersecurity defenses, hackers are patiently moving down the supply chain, looking for less-protected entry points. That means, your organization is only as secure as your entire supplier base. All a hacker needs is one weakness in one supplier to potentially gain access to your organization’s most sensitive data.
If we are going to secure the global supply chain, collaboration is key. Organizations of all sizes must closely evaluate their own people, processes and technology within their own four walls as well as the suppliers who serve them.
This piece originally appeared in Fifth Domain