Following several high-profile supply chain breaches, such as those experienced by Toyota, Atlassian, and DoorDash, organisations are becoming increasingly aware of the risks associated with third-party involvement. They are not alone in this concern – according to a recent survey conducted by BlueVoyant, 98% of executives reported that their organisation had suffered negative consequences due to supply chain breaches.
A supply chain attack can have serious implications for any organisation. Digital supply chains consist of vendors, suppliers, and other third parties with network access. Enterprises are only as secure as their weakest third-party link. Unfortunately, when cybercriminals exploit this weakness, it can trigger a chain reaction of security risks that have long-term negative impacts on a company’s finances, reputation, employee welfare, and customers’ personal data.
Outsourcing has become one of the fastest-growing security risks to an organisation’s sensitive data. However, few organisations have the in-house resources and expertise to effectively identify and monitor the cyber risks associated with third parties.
Below are five ways organisations can reduce their supply chain risk:
- Understand your vendors and the information they hold
Gain an understanding of which vendors have network access, which systems they have access to, and which vendors are critical for business continuity. To visualise risks, draw a tree diagram of all interactions between your organisation and supply chain elements. This practice can help you see the full picture of supply chain risks and track connections.
You may be able to reduce data and access given to third parties if it is not operationally necessary for the service provided. - Continuously monitor third-party vendors
Conducting multifaceted, ongoing monitoring, and assessments on your vendors is vital, as supply chain cybersecurity threats are dynamic.
When weaknesses and security vulnerabilities are identified, remediation must be quick and effective, with actionable instructions. The best way to achieve this is to work with your third parties or have an outside vendor work with them on your behalf. It is not sufficient to trust vendors to handle their vulnerabilities on their own. A nudge from a client or outside vendor working on their behalf can push organisations to remediate quicker, improving the time to remediate and the percentage of vendors that remediate a vulnerability or misconfiguration. - Create a multifaceted supply chain security strategy
Supply chain attacks can have various objectives, including ransom, sabotage, and intellectual property theft. These attacks can take many forms, such as malicious code injections into legitimate software, hijacking software updates, and attacks on IT and operational technologies.
Supply chain attacks can exploit vulnerabilities in:- The physical flow of assets — Including processing, packaging, and distribution processes.
- The virtual flow of data or software — All virtual flows across connected systems and devices.
- The physical flow of assets — Including processing, packaging, and distribution processes.
As cyberattacks increase, supply chain leaders need to coordinate with security and risk management leaders to understand these threats. All leaders should work together to jointly manage supply chain security risks.
- Manage remote work endpoint risk
As more people work from home, the number of exploitable endpoints expands. Unfortunately, operations within a supplier’s remote telework environment can introduce more risks. This means that the supplier’s users must manage the physical and virtual security and protection of endpoints across various locations external to established enterprise monitoring services.
As a result, organisations are exposed to risks caused by the unauthorised behaviours of their supplier’s employees. Common risks include device loss or theft, employees downloading sensitive data without offline protections, or introducing shadow IT applications, keyloggers, files, and various persistent threats.
Traditional security tools, like virtual private networks (VPNs) and virtual desktop infrastructure (VDI), cannot effectively protect organisations and mitigate these threats. These tools rely on end-users to follow security policies before and after they connect to secured networks. Organisations and supply chain leaders must monitor how remote employees use their devices to protect the supply chain. - Rotate passwords and credentials of all employees
If your organisation is compromised, take steps to prevent it from happening again. Ensure that passwords and credentials of all employees are changed as quickly as possible, and make sure that employees undergo rigorous anti-phishing training to mitigate the extended risk. These awareness campaigns should include multiple types of communication to truly protect employees from both corporate and personal phishing attacks.
Instituting a basic cyber hygiene routine as a standard within your organisation will also help mitigate and prevent many risks.