Every Supply Chain Is An Island… Or is It?

Whenever organizations think of supply chain risk and how to manage it, they tend to focus on physical supply chain risk management, rather than cyber risk. Yet, as we all learned with the SolarWinds breach, managing cyber risk across all parties in your supply chain is imperative and cannot be ignored. 

Prior to the Target breach of 2013, when attackers leveraged a trusted 3^rd party HVAC provider’s credentials, organizations blindly trusted vendor security controls. Now best practice is to include a cybersecurity addendum in every contract with vendors, dictating their legal accountability to maintain a minimum set of security controls.   

Supply chain attacks are referred to as “island hopping,” meaning attackers hop between links in the supply chain and infect new organizations, but that seems like a misnomer with the transmissibility of these attacks. Less sophisticated attacks can pose just as big of a threat if you and your organization are not taking a risk-based approach that incorporates zero-trust tactics. 

Supply chain attacks spread swiftly 

SolarWinds showed us how quickly one link in the supply chain can impact all parties involved, no matter the geography. The attack had the potential to implicate 18,000 companies and government entities around the globe without detection. After seeing cybersecurity’s heavy hitters like Microsoft and Malwarebytes fall prey to a nation state attack, investing in security may seem like a black hole. However, there are plenty of other attackers out there all trying to earn quick paydays through cybercrime, and they are looking for the path of least resistance into your systems.   

All parties in your supply chain expose you to their risk when they touch your environment. That risk could come from a compromised open-source program, GitHub dependency repository hijacking, or from an employee falling prey to a phishing email. All would qualify as supply chain attacks.   

Take inventory of your risk 

By the time the average SMB reaches 51-100 employees, they are running on average 79 applications to fuel the business. Your organization takes on the risk of all parties involved in those applications, both through the initial download and subsequent updates. SolarWinds showed us that anyone can be breached through their supply chain with ease.  

If you aren’t taking control of your supply chain risk management, then less complex attacks may have a similar effect on you, which is why it is vital to adopt a risk-based approach to cybersecurity. 

Turn your supply chain into an advantage 

With so many vendors in your supply chain touching your software, it’s crucial to take control of your risk. You must categorize your organization’s risks to determine which are the highest priority … and ultimately which risk to address first. How do you take control of your organization’s supply chain cybersecurity risk? 

Earmark

To protect your business you have to know where your organization’s supply chain risk lies. Taking the time to classify it by tiers through a Business Impact Analysis is necessary as it will influence your risk management plan. Whether an incident is one you must focus on, control, or accept depends on your level or risk tolerance. Managing the highest tier risk will help your company avoid critical function downtime.

Elect

What is your acceptable level of risk, and what incidents could your business not handle? Reviewing your risk categories will help you set your baseline security controls and tolerance thresholds. You want to have your key risks identified and under control to limit the potential for any future breaches.

Establish:

Putting your security controls into action is a process. You must be mindful of your people, processes, and technology as you put in place new security controls. Any changes need the buy-in of those involved, both internal and external. Your employees must follow internal policies and standards to ensure updates are safe. As you change the risk you are willing to accept, your supply chain should change. You’ll gravitate towards vendors with less risk who agree to cybersecurity addendums in contracts. Holding your vendors accountable to a minimum set of security controls.

Examine

After your security controls are in place, they must be tested. The effectiveness of your security controls impacts your supply chain risk management plan. Were your security controls effectively implemented, or is risk still seeping through?

Empower

You can’t be everywhere at once and you can’t know everything that is happening in your supply chain. How can you be sure your risk management plan is being successfully carried out? You must empower your management team to assess risk, take action, and optimize. This will improve how your organization handles its supply chain cybersecurity risk.  

Enhance

By now you should be noticing the improvement in your security posture. You have a solid grip on your supply chain risk and are ready to start seeing the benefits. Yet, it isn’t quite time to sit back and relax. By continuously improving your security controls, you can keep reducing your supply chain risk. 

Establishing risk-based processes can help ensure the integrity of downloads and updates, lowering the chance of a breach as a result of your supply chain. It’s a process worth being strict about, even with trusted suppliers, like SolarWinds.  

At Headstorm, we believe that security is something you live every day. Protecting everyone and everything in your organization requires engaging everyone and establishing effective and robust processes to increase your security daily.   

Even in normal market conditions, it’s a challenge to keep current on cybersecurity threats and best practices. 2020 was anything but normal as cyber attacks grew in sophistication and quantity. 

If you would like to discuss how various threats and risks are affecting the supply chain of businesses like yours, let us know how we can help. In the meantime, if you just need a better way to keep up with emerging threats and best practices, Headstorm’s Cybersecurity CxO Monthly Recap has you covered.