You are only as strong as your weakest link.
Supply chain cybersecurity is heavily dependent on the complex interchange of a vastly interconnected and geographically diverse ecosystem that is both deep in its industrial reach and highly nuanced based on any number of risk factors impacting each partner.
Attempting to accurately navigate the supply chain ecosystem may often involve managing “vendors, system integrators, services suppliers and other third-parties, plus the entire services and technology stack that contributes to the design, manufacturing, distribution, deployment, and consumption of information and communications technologies and services.”
By better understanding what is at risk, contextualizing industry best practices, and defining the core pillars to building a dynamic cybersecurity culture across the supply chain invested players can be empowered to make the change and mitigate cyber threats coming from all directions.
Defining the terms
Richard George, the former National Security Agency technical director of information assurance and current senior advisor for cybersecurity at Johns Hopkins University Applied Physics Laboratory astutely observed that “Cybersecurity really is a supply chain problem that encompasses the telecom carriers that are used by businesses, the hardware and software that supports organizational workflow, and the cloud assets that so many organizations are leveraging today.”
With so many seemingly disconnected parts of the supply chain, the process of defining what the most pressing problem is and how to provide tangible solutions can be daunting. Understanding risk indicators and best practices may just be the solution…
According to the risk methods 2020 Risk Report, risk indicators refer to “various factors that contribute to a certain type of business risk, or events that could cause supply chain disruption. For example, financial stability of a supplier is a type of risk that faces many organizations, while the risk indicators include specific incidents like bankruptcy, force majeure or product release delays.”
The risks to the supply chain have been growing in no small part to the increase in remote work and lack of effective cyber protection linked to the Covid-19 pandemic.
From January – May 2020 alone there was a:
- 34% increase in the total number of early warnings of supply chain disruption, compared to the same period in 2019.”
- Disasters at partner sites increased by 151%
- Disasters at location increased by 100%
- Instability in key employee positions increased by 46%
Weapons to Mitigate Cyber: Best Practices
According to the National Institute of Standards and Technology the ability to implement industry best practices directly correlates with a business’s success in mitigating cyber risk across the diverse players in the supply chain. Of the many suggestions the NIST offered, the following quintessentially reflect the core intention of what is needed to decrease cyber risk in the supply chain.
- Include clear security requirements in every contract or RFT with potential partners.
Outlining the definitive cybersecurity obligations of each link in the supply chain from square one ensures all partners accept responsibility for their security posture.
- Implement as much automation as possible to decrease the risk of human error.
According to Cybint, 95% of cybersecurity breaches are caused by human error. As a result of this striking stat, it is mission-critical to implement as much automation throughout the supply chain to better compartmentalize risk and determine if a technical solution is required.
- Actively track all the component parts and vendors of projects
By keeping close tabs on all the vendors and subcontractors connected with vital projects IT teams and systems admins can quickly respond to potential breaches, segmenting risk and ensuring rigorous controls on access to vendors are maintained.
- Establish a ‘one strike and you’re out policy in respect to failing to fulfill contractual security obligations.
Supporting repeat offenders and leaving your assets at risk is not a viable solution when we are speaking about the scale and potential costs for enterprise customers. By clearly defining what is at stake for non-compliance all players in the supply chain are held to the highest standards and network security improves exponentially.
Key steps moving forward.
The ability to enhance supply chain cybersecurity comes down to a combination of accurately understanding the risks being faced by the various players in the supply chain and establishing the protocols, either technical, contractual, or education-based to mitigate cyber threats. In practice, the only way to slow the pace of data breaches and harden secure systems against the risks of state-sponsored hackers and ad hoc cybercriminals is to establish and consistently adapt a comprehensive cybersecurity policy from the top down.
By having a clear vision of expectations, establishing long-term protocols to support cyber awareness, and implementing technical solutions to mitigate risk, the supply chain has the chance to decrease its attack surface and provide a unified front against cyber-attacks.