Digital transformation has been under hot debate for more than a decade and its advantages and disadvantages discussed in different global forums, yet the process has been somehow slow. However, COVID19 has accelerated digitilization at an unprecedented rate. Since the start of the pandemic, organizations worldwide forced to shift most of their operations to become fully digital rapidly. According to Mckinsey, the COVID19 has pushed organizations to speed up digital transformation efforts, especially customer and supply chain relations, by three to four years in just a few months.
Digital transformation will undoubtedly lead to increasing third-parties vendors’ risks. For instance, we can recognize the following two threats when outsourcing products/services in today’s digital economy:
- Lack of control: We cannot control other vendor IT systems to discover possible vulnerabilities or to address any shortfall in security policies that could impose threats to connected partners – such as our own organization.
- Lack of visibility: This is a significant problem that prevents an organization from knowing about possible threats in vendor IT systems. For example, when partnering with a third-party provider, an organization may not have comprehensive visibility into the vendor’s cyber threats, the security of its servers/endpoints devices, and the implemented access privileges.
To remain competitive in this new business and complex IT environment, organizations must be fully aware of the threats affecting their supply chains and should work effectively to mitigate them before they pose risks to their customers and business operations. This article sheds light on the term Cyber Supply Chain Risk Management (C-SCRM), outlines the most common threats, and lists mitigations to lower their impact.
Defining Cyber Supply Chain Risk Management (C-SCRM)
C-SCRM is a sub-type of supply chain management that focusses on discovering and mitigating the cyber risks associated when working with suppliers, vendors, and other external partners, including transportation parties. The scope of C-SCRM surpasses managing third-parties risks and spans to include other third-parties to those third-parties, hence, the fourth, fifth and sixth parties and so on. In today’s connected world, a vendor may utilize services from other external suppliers located in different countries, some of those external vendors can also utilize services or products from other vendors. Your organization must know this extended circle of vendors partnering with each other, so it can measure its risk exposure accurately and discover any vulnerable service/products before incorporating them into its work processes.
The security of the supply chain includes both the security of physical products (protecting IT devices from theft or sabotage) and the cybersecurity of software programs and other related IT services, which include any cyberthreats affecting purchased devices or software such as: IT vulnerabilities, malware, backdoors, and software piracy.
Cyber Supply Chain Risks
According to Supplychainbrain, about 80% of reported breaches occur in supply chain networks. The cyber supply chain risks involve those originating from various areas:
- Third-party vendor’s risks include any external company with access to critical IT systems, programs source code, computer network, and cloud resources.
- Weak security practices implemented by the vendors. For example, suppose a vendor has access to your organization network; if the vendor system gets compromised with ransomware, the infection can spread to your organization network.
- Infected software or IT hardware devices purchased from vendors. For example, malware can hide in a software or hardware product that execute upon installing it in the client IT environment.
- Security vulnerabilities existing in vendor IT systems and programs can lead to infecting connected client systems.
- Purchasing IT hardware infrastructure components infected with embedded malware. For example, a vendor may sell networking equipment such as a router, switch, or Firewall with malware embedded within it to monitor all traffic pass through the infected device.
The cybersecurity of supply chain management here means making sure any software developed by external company is safe from vulnerabilities and malware, and securing organization sensitive data when accessed by external partner.
Cyber Supply Chain Best Practices
The security of the supply chain will significantly differ from one organization to another depending on its industry, the number of third-party vendors, and its staff IT knowledge level. The following best practices help any organization manage its cyber supply chain:
- Be comprehensive: Remember, C-SCRM is not a digital problem related to the IT security team. All departments within your organization must be aware of threats originating from third-party vendors, as some risks are not digital – such as physical theft of IT equipment.
- Identify critical systems: Consider identifying key IT systems that need to be protected; this should allow you to define the necessary steps to secure them from both physical and digital attacks. An organization’s assets that need to be safeguarded contain different categories: software and hardware, personal, and other sensitive data repositories.
- Track shipments: To secure purchased IT equipment from physical threats, use a shipment tracking service to receive automated notifications regarding your current shipments location. It would help if you also considered sealing your equipment packages to prevent unauthorized access during transit.
- Perform background checks about your key vendor employees that you have work with: Open Source Intelligence (OSINT) can be utilized to gather intelligence from publicly available sources about any person or entity.
- Deal with trusted vendors only: Ensure the vendors you are dealing with are accredited worldwide.
- Assess the security of your vendor’s IT systems: For example, conduct penetration testing assessments against the vendors that you share data with them. Vulnerability scans can also be conducted to discover vulnerabilities in vendor IT systems.
- Follow secure Software Lifecycle Development: When developing software programs, establish a secure Software Development Life Cycle (SDLC) that implements security controls at key stages of the process.
- Source code: Try to acquire all source codes of the programs you purchase or have an independent auditor to ensure no backdoor exists in purchased programs.
- Seek help from a third-party auditor: If you cannot perform vulnerability assessment or penetration testing experiments against your vendors, hire a third-party auditor to assess your vendor security defenses.
- Access controls: Enforce network access controls and make sure to keep them up-to-date.
- Install security solutions on different layers: Install relevant security solutions on network gateways and endpoints devices, such as intrusion detection systems, firewalls, antimalware, and data loss prevention.
- Know your threats: Examine your supply chain, discover any threat that may endanger it, and plan your cyber defenses accordingly.
- Prepare an incident response plan: Respond quickly to possible breaches and other security incidents before they get escalated.
The security of supply chains has become a top priority for every organization worldwide. As the world rushes to become fully digital, organizations are increasingly utilizing technology to automate most of their purchase needs.
A vulnerability within any vendor IT systems can lead to a security breach in client organization IT systems, leading to loss of revenue and reputation. It might end with a lawsuit if the violation revealed other partners’ intellectual property information or other sensitive data such as Personally Identifiable Information (PII).
Dr. Varin Khera
Dr. Khera is a veteran cybersecurity executive with more than two decades worth of experience working with information security technology, models and processes. He is currently the Chief Strategy of ITSEC Group and the Co-founder and CEO of ITSEC (Thailand). ITSEC is an international information security firm offering a wide range of high-quality information security services and solutions with operation in Indonesia, Malaysia, Philippines, Singapore, Thailand and Dubai.
Previously the head of cyber security Presales for NOKIA, Dr. Khera has worked with every major telecom provider and government in the APAC region to design and deliver security solutions to a constantly evolving cybersecurity threat landscape.
Dr. Khera holds a Doctor of Information Technology (DIT) from Murdoch University, a Postgraduate Certificate in Network Computing from Monash University and a Certificate of Executive Leadership from Cornell University.
Dr. Khera was one of the first professionals to be awarded the prestigious Asia Pacific Information Security Leadership Awards (ISLA) from ISC2 a world-leading information security certification body under the category of distinguished IT Security Practitioner for APAC.