Security threats within the supply chain have been a concern of purchasing, information security and risk and compliance teams for many years. What's new is the rapid increase in targeted attacks on a less well-defended area for most corporations -- the confidential data now commonly shared with supply chain vendors and partners.
In research released in 2013, the Information Security Forum (ISF) found that, “of all the supply chain risks, information risk is the least well managed,” and that, “forty percent of the data-security breaches experienced by organizations arise from attacks on their suppliers.” The Target breach began with a simple login to its corporate network—a login seen as normal by its security systems because the user name and password were valid. The problem, of course, was that these login credentials were stolen—yet they were also authorized for access, so they went unchallenged by Target's authentication system.
Consider the fact that the recent Dragonfly/Energetic Bear hack of U.S. and European energy companies began with a spear-phishing campaign against senior employees in energy sector companies. Those senior employees took the bait and enabled the hackers to compromise legitimate software used by industrial control system (ICS) manufacturers, inserting malware into software updates sent from the ICS manufacturers to their clients.
Everyone involved with vendor management — from legal and risk/compliance teams to information security and purchasing specialists — should now develop a common, collaborative security strategy (or program) that includes layering new protections onto processes and policies to defend against information risk in the supply chain. Adding the following practices to your existing security controls can help you collaborate productively for a targeted approach to supply chain cybersecurity.
Map locations of sensitive data: Collaborate across all relevant teams to determine which data—intellectual property, employee records, financial information, credit card data — is considered sensitive by your organization. Security teams should audit for all locations of that sensitive data on your network, as well as for the locations of copies of that data that may be accessible to members of your supply chain.
Evaluate risk by vendor: Assess and rank vendors and partners with access to your network—or any who retain copies of your data—according to their risk to information security. Two helpful templates for this are the annotated ICT Supply Chain Risk Management Plan Template in NIST guideline Appendix H and the ISF Supply Chain Information Risk Assurance Process template.
Employ an information security survey: Incorporate a simple survey of standard information security measures early in the process of on-boarding a supply-chain partner, and request information on its incident response and business continuity plans. If the partner will not reveal such details—or doesn't have such plans in place—it's up to you and your legal team to determine what other forms of reassurance would be sufficient. This survey should be reintroduced during any subsequent contract-renewal process.
The results can assist you in ranking your vendors and suppliers based on the degree of risk each represents. Once your ranking is complete, it can serve as the basis for a tiered approach to partnership agreements, as well as to the level of network and/or data access you grant each one and the security controls they are expected to put in place.
Build security assurances into vendor/partner agreements: Advise your legal team to add a corporate data security and incident response policy into vendor agreements and to stipulate compliance with them.
Add Depth and Breadth to Basic Security Practices: Recommended protections include network segmentation, multi-factor authentication, and strong passwords, but the ability to receive alerts on anomalous endpoint activity is now critical, too. This capability should be established at least on those network endpoints that store confidential information.
Consider cyber “war games” training for vendors and partners: This does not have to be elaborate or time-consuming to be effective. Your team can create tests and exercises that require every stakeholder from security, legal, human resources and vendor teams to practice the critical steps in incident response after a breach has been detected. One highly informative exercise involves sending a fake “phishing” email that appears to be from someone known to the recipient to test your organization's and your vendor organizations' security habits and awareness. Do they click the link in the email that says, “Your CEO Robert asked us to confirm this with you. Just click the link…”?Working together, every department and manager involved with the supply chain and partner organizations can build a safer environment for supply chain operations. Doing so before a cyber attack or accidental data breach occurs can close a critical gap in your organization's security posture.