Cyber Security the weakest link article originally published by, and permission to publish here provided by, Jason Rosing at http://veridiansol.com .
We all know how important cybersecurity is now that technology powers commerce in such a significant way. But if you perform work as part of a supply chain, you know that the stakes are especially high.
Given that you’re part of a network of providers, vendors, transporters and managers, the impact of the weakest link in the supply chain cybersecurity “chain of custody” can be significant.
Why Supply Chain Cybersecurity Is Essential
It doesn’t matter which type of service you perform or which varieties of product you manufacture or help move. Cybersecurity is everybody’s problem and everybody’s responsibility. As technology cements its place in our industrial and personal lives, the security of our networks, as well as our personal and corporate data, has become central to several sectors:
- Military contractors must abide by guidelines like ITAR (International Traffic in Arms Regulations) and others, which help vouchsafe sensitive military data in third-party hands.
- Healthcare providers are bound by HIPAA, which helps ensure the ever-more-digital world of patient records is kept safe and away from prying eyes.
- Some service- and commodity-based organizations are required to, or can at least benefit from, requiring partners to keep SSAE (Statement on Standards for Attestation Engagements) and SOC (Service Organization Control) reports, which is especially helpful for maintaining compliance, availability, privacy and confidentiality for supply chain partners who store data in the cloud.
Taking cybersecurity risks seriously in supply chain is imperative because what’s really at risk isn’t necessarily something with a fixed, one-time value. Merchandise can be replaced. What’s at stake is quite often the key to your remaining profitable at all. You stand to lose vital organizational and client data, intellectual property and trade secrets. In some cases, you’ll be held responsible for damages if formal laws and guidelines apply.
According to the U.S. Department of Commerce’s “Resilience Project,” the primary mission when it comes to hardening the supply chain in any industry against cyber-threats is a three-pronged attack: “Anticipate, Mitigate, Improve.” Critically, each of these three parts must happen in concert and, ideally, before you actually have to deal with a loss of data.
Here’s a crash course in holding your supply chain partners, and yourself, to higher security standards and fixing the weakest link:
- Familiarize Yourself With Industry-Specific Regulations
We’ve mentioned some of the official guidelines and regulations that have appeared in recent years, but our supply chains have regulations of their own — particularly when you operate in critical areas like foods, beverages, medicines and vaccines, medical devices and other biotechnological and pharmaceutical interests. The integrity of the data associated with these goods is critical, which is why cloud providers find themselves bound by ever-stricter guidelines.
These guidelines give you a good basic benchmark for supply chain cybersecurity in your specific industry and might make you ware of threat vectors you didn’t know about. But it’s up to you to go above and beyond.
- Determine Which Vendors Have Access to Your Network
Simply doing business with multiple parties at once opens you to certain types of risk, but one of the most preventable is unauthorized or unnecessary access to your network and assets. Vendors and other actors within the supply chain naturally share digital properties and call upon much of the same data, but your supply chain can’t be hardened against supply chain cybersecurity risks until you’ve first determined which parties have access, and the level of their credentials and privileges.
Malicious — even unintentionally malicious — actors within your organization might have unsecured or unlimited privileges, too, which is a risk vector which has contributed to substantial financial losses for private enterprise over the years.
Think of this as the industrial equivalent of leaving the password to your home PC’s administrator account on a post-it note on your desk. You’ll likely have to share that credential with another party at some point, but revoking access from parties who no longer need it closes a vulnerable backdoor you might’ve otherwise forgotten to close.
- Create Cross-Functional Roles and Teams to Oversee Risk
Believe it or not, we’re already in the process of moving beyond one-size-fits all Security Officers or Risk Managers. That’s the word from the National Institute of Standards and Technology. Instead, they call for the creation of cross-organizational teams and specialists who know how to answer specific risks as they apply to each of your business partners and processes.
For example, some parties within the supply chain might have a greater likelihood of encountering counterfeit products or might have stricter requirements for the onboarding of new vendors and contractors. As risk becomes more uniformly dispersed across your organization, so too must your capabilities to respond when the worst should happen.
- Be Explicit About Security Requirements in Your Contracts
The importance of proactive measures cannot be overstated — and outlining your expectations as you enter into business with new supply chain partners is an obvious first one to take.
Don’t be afraid to use specific language and even create legally-binding documents with the help of an expert to make sure each of your partners knows exactly what is expected of them when it comes to how they access and handle your data and that there’s legal recourse in place if they fall short.
- Monitor Your Technology Providers and Other Partners
None of the supply chain best practices out there are particularly useful without some old-fashioned checks and balances. To put it another way, you don’t just need expectations and guidelines — you need a way to make sure each of your third-party partners is following-through by continually monitoring their performance.
There are ready-made solutions out there as well as best practices as described by bodies like the Federal Computer Security Program Managers’ Forum. The ultimate goal of each continuous monitoring solution is the same:
- Maintain awareness of emerging threats and vulnerabilities
- Establish communication protocols between partners within the supply chain
- Analyze organizational risk on a sufficient-enough frequency to guard against new risks as they appear and to make changes as needed
- Proactively evaluate the likely effectiveness of your risk responses to new threats
- Evaluate recent changes, and propose new ones, for physical and digital infrastructure
Naturally, continuous monitoring of your operations and those of your supply chain partners will help keep you measure your performance against regulatory action at the state and federal levels as well as new requirements within your specific industry.
Seek Constant Improvement for the Weakest Link
We’ve talked about some of the “top-down” fixes for mitigating supply chain cybersecurity risks, including federal regulation and industry-specific guidelines. But each company is unique and has its own needs, which might make your particular approach unique. For instance, some companies are exploring Blockchain-powered solutions such as “smart contracts,” which aren’t contracts at all but rather bundles of code that automatically execute commandswhen requirements are met by one or both parties.
The point is, the future holds all kinds of exciting solutions for the problems we’ve gone over here. Keep yourself aware, knowledgeable and up-to-date on the wider world of supply chain cybersecurity and then think outside the box to apply your findings to your niche and your place of business, and address the weakest link.