With cybercriminals targeting vulnerable third parties and partners, companies must look to close the backdoor, writes Rob Batters
A supply chain has become, over the past ten years, an increasingly complex web of interconnectivity between partners. This information sharing reduces cost and inventory levels and boosts profitability with the IT function playing an ever-greater role.
However, this has come at a cost. Cybercriminals are increasingly targeting this interconnectivity to gain access to companies through the backdoor. The nature of information sharing means that cybercriminals do not have to try and gain access to their primary target directly. Instead, they can identify vulnerabilities within a supply chain to get to the target infrastructure and data.
This approach has seen high profile successes for cybercriminals including SolarWinds hack, which saw a huge number of high-profile organisations compromised, British Airways, Microsoft Exchange Server and many more examples.
The role of trust in supply chain management
Much is written about the role of trust in supply chain management and some of this is based on perception rather than hard fact. There are a couple of examples:
- It is often assumed that every member of a supply chain is competent to deliver the tasks it says it can. Some reassurance can be secured from referees, but ultimately, partners are asking for a company’s trust
- A successful chain has to be based to some extent on the fact that the integrity of every member is taken as a given and that they will fulfil their promises. This is based on experience, and whilst this is good past performance is no guarantee
There are not many elements of business where such intangible measurements can be accepted. As we have seen these measurements are no longer enough to ensure that your supply chain partner is looking after your data in the manner you have the right to expect.
It also goes deeper than this. The interconnectivity of supply chains means that it is not just your immediate partners you have to worry about, but also those down the chain who, if their security is not up-to-speed, can inadvertently leave the backdoor open to your own infrastructure.
In the current climate and with cybercriminals becoming increasingly sophisticated in their approach and methods, there have to be better and more comprehensive approaches to securing supply chains.
Auditing supply chains
The trust in the supply chain is often based on questionnaires and surveys sent out at the beginning of relationships. Asking a potential partner about their IT security practices makes sense from a practical perspective however, companies have to be aware of their regulatory requirements too. If your partner is working with your data in any way then according to GDPR, they are your Data Processor.
This means that a simple self-certification in a spreadsheet questionnaire is no longer acceptable. Not everyone has the time to sit down and examine everyone else’s security systems in fine detail so while questionnaires still have their place in supplier governance, they do not offer a true reflection of the state of a partner’s IT practices and cyber-defence capability. Having the right to audit their IT service as part of a contract is really something that companies need to have implemented. It might be that it is never chosen to be used, but simply having the right to perform an audit that requires the production of some form of evidence will concentrate the mind of potential and existing partners.
Gaining a 360-degree view of supply chain vulnerabilities
So, alongside a more rigid examination of potential partners’ IT systems and security protocols what else can companies do to ensure that there is a consistent comprehensive, ongoing view of vulnerabilities within supply chains?
Education continues to play an important role in any anti-cybercrime strategy. Whatever the route into a company’s infrastructure and data it very often begins with the mistake of a staff member. As well as outlining what the latest tactics being implemented by cyber criminals look like, some anti-phishing solutions not just filter emails, but also send out in-mail alerts to educate the end-user about the likely veracity of their emails.
As well as stopping the threat at source, gaining a 360-degree view of the potential vulnerabilities within your supply chain before they are exploited is going to be an increasingly important approach. There are AI-powered software solutions that give companies exactly that. They can provide a company a view of not just their own security but also their entire supply chain, end-to-end, giving them insight into possible vulnerabilities which otherwise might be missed.
This allows companies to have an informed discussion with partners to help close gaps in security. With this information, companies can also be confident that with the vulnerability closed they are adhering to regulation too.
Trust remains an important factor in any business relationship. However, with the consequences of a cyberattack now so huge, companies can no longer rely on trust as an assurance of good cyber-defensive strategies throughout a supply chain.
Without an ongoing, intelligent view of all the possible vulnerabilities throughout a supply chain it is almost impossible for companies to be fully secure. With partners, inadvertently offering cybercriminals an entry through the ‘back-door’, companies have to do more to close supply chain weaknesses. With a 360-degree view there can be a confidence that you are as secure as possible and adhering to an increasingly complex regulatory landscape.