Supply Chain Cybersecurity

Introduction

Cyber risk has been an area of focus for boards and organizational leadership, but the scope is often limited to attacks against a company’s own IT infrastructure, people or data.

Threat actors are increasingly exploiting the path of least resistance in the supply chain to attack their real targets. While more large companies have built a reasonable cybersecurity posture, malicious actors still find easy ingress through abundant open doors in smaller suppliers.

Supply chain attacks have skyrocketed to the point where targeted companies are motivated to manage their own risk by managing the risk hiding in their supply chain.

 

How prevalent is cyber supply chain intrusion?

Data from the US Defense Industrial Base (DIB), shows the move from cyberattacks on prime contractors to their suppliers.  By 2018, all major DIB breaches involved suppliers in the intrusion.

This trend is not limited to the DIB. It is now happening on a large enough scale that suppliers are effectively being weaponized to attack their customers.

Since research from KPMG, Accenture, WSJ Pro Research and others support the data from the Department of Defense, we know that over half of all companies have poor cybersecurity. This gives the threat actors a pattern they can repeat again and again.

 

Are there other factors increasing Supply Chain cyber risk?

Other factors expanding both the attack surface and the consequences of a breach include:

  • Increased use of cloud services, which are often poorly configured and insufficiently monitored
  • Internet of Things (IoT) is driving more devices to connect to the Internet which can open more back doors
  • Mounting cybersecurity requirements in customer contracts and regulations mean successful breaches have much more severe consequences than ever before

What are some common Supply Chain cyberattack vectors?

Common attack vectors include:

  • A company’s Intellectual Property (IP) or other sensitive information is stolen from a supplier’s systems
  • A supplier is compromised allowing an attacker to have access to company networks, systems or data; alternatively, a malicious payload can be delivered through a trusted communication channel (i.e., Target Corporation)
  • A threat actor modifies a component that is sent to a customer, which is then incorporated into the product / service of the target company (i.e., SolarWinds)
  • A critical supplier is taken offline with a ransomware or denial of service attack, causing an interruption in the operations for their customer who may be the real target.

 

Which stakeholders should be involved?

Cybersecurity risk in the Supply Chain spans multiple functional areas including Procurement, Cybersecurity, Information Technology (IT), Legal, and Compliance along with the key groups specifying purchases such as Engineering and Operations.

Honing business process is the focus more than technology so a big success factor is to develop senior leadership buy-in across all the functions involved.

 

What’s the vision?

A mature program integrates cyber risk protocols into the full supplier risk lifecycle, creating a culture of cyber risk awareness throughout the business and the supply chain.

 

This could be overwhelming. How do we manage scope?

The SecuriThink approach is risk-based. We work with you to identify and prioritize your biggest risks and most critical suppliers.

We work in phases so the program can be scaled gradually over time unless there is a customer or regulatory deadline.

 

What are the key areas to address?

Foundational components include:

  • Identifying and prioritizing the highest risks and most critical suppliers first
  • Establishing senior stakeholder buy-in, usually at the level of the C-suite and Board of Directors
  • Education and awareness of the functional stakeholders involved and of the supply chain
  • Policies and procedures for cyber risk-aware decisions and consistent follow through
  • Contractual language that builds cybersecurity into the supplier relationship up front
  • Unless customer or regulatory requirements dictate otherwise, supplier assessments are usually very limited.

Are there technical components?

Supporting technologies may be used but are less critical than the business changes.

Examples of supporting technologies that may be considered include a cybersecurity ratings company to score suppliers or an application that makes it easier to track supplier risk profiles.

 

Why SecuriThink?

  • 5 years of experience justifying, creating, maturing and sustaining a Fortune 500 Supply Chain cybersecurity risk management program covering over 3,400 vendors
  • 50+ years combined experience on Fortune 500 mission critical projects requiring both tech skills and business savvy
  • 30+ years combined experience creating the technology business case for owners, Boards of Directors, and CxOs
  • 35+ years combined experience in cybersecurity and network engineering
  • 12 years Fortune 500 CISO experience
  • Pro-active stakeholder engagement – from front line team to senior leadership and owners – means low organizational noise and rapid implementation once support is aligned
  • Fortune 100 experience included smaller operational units so it scales to medium-size businesses
  • Nationally recognized experts accustomed to working globally

Want more?

Sources:

  1. National Defense Information Sharing and Analysis Center, NDISAC
  2. Image by PublicDomainPictures from Pixabay

What Else We Do

Step Zero™ Rapid Cybersecurity Cost Estimates

Step Zero™ Rapid Cybersecurity Cost Estimates

This unique approach, with a known range of verified accuracy, was first field-tested on 12 Fortune 500 Merger and Acquisition (M&A) deals yet it also supports data-driven investment decisions for cybersecurity compliance.

read more
Managing Up and Out™ Security Strategy and Education

Managing Up and Out™ Security Strategy and Education

Tap the 30+ years combined experience of our team to align stakeholders from Boards of Directors and C-suite to critical asset owners or front-line team members. Whether it’s a business case, strategy roadmap, or key presentation, we can cross-train, ghostwrite, or deliver on your behalf.

read more
CMMC Readiness

CMMC Readiness

Cybersecurity Maturity Model Certification (CMMC) is the evolution of cybersecurity contractual requirements from the Department of Defense (DoD) with which SecuriThink practitioners have been involved for over 10 years.

Our journey satisfying these requirements is the story of “how we know what done looks like” for cybersecurity as we state on our website homepage.

read more
SecuriThink Field-Tested Data Classification Solution

SecuriThink Field-Tested Data Classification Solution

Get higher returns on your project investment with a field-tested data classification solution based on two Fortune 500 projects involving 12,000 and 50,000 team members, respectively.

Our Data Classification Solution integrates technology with business transformation methods to manage factors too often left out of a security project. We leverage what’s already going well in your organization, while shifting to higher potential.

read more
SecuriThink Field-Tested OT / IT Integration

SecuriThink Field-Tested OT / IT Integration

Readily create dollars from Operational Technology (OT) data using our field-tested approach to Information Technology (IT) integration based on success at 42 facilities across 15 different business divisions

read more
Cultural Armour™

Cultural Armour™

Optimizing your company’s information security
Takes more than the latest technology
Or a staff trained to use it.
It takes a shift in thinking.
A shift in acting.

read more
Field-Tested Proactive Insider Threat Program

Field-Tested Proactive Insider Threat Program

Over 90% of most companies’ value now comes from intangible assets. In addition to Intellectual Property (IP), brand reputation, competitive advantage, supplier network, employee retention, and customer loyalty are measurably affected by cyberattacks. Research shows some of the most damaging losses coming from trusted insiders with malicious intent, also called Insider Threat.

The biggest gains come from proactive attention to Insider Threat, that is, don’t chase after the horse that’s gotten away, keep it from leaving the stable.

read more