By definition, a supply chain is the network of all the individuals, organizations, resources, activities and technology involved in the creation and sale of a product. In only a few rare cases does one organization have full control over every step in the entire process. The links in such a supply chain often work closely together, sometimes so much so that they have access to parts of each other’s systems.
Although it is important to guard every aspect of your supply chain to avoid disruptions, for the scope of this article we will focus on the cybersecurity element of it.
From a security perspective, it's imperative to choose your partners wisely. An organization's security posture is its readiness and ability to identify, respond to and recover from security threats and risks. If you are the one paying, you can often make demands about the security posture of the partner, but the other way around is usually much harder.
We probably all know the compliance audits that are the result of these demands. And it makes sense we do not wish to fall victim to the mistakes made in another organization that we have no control over. It’s usually more than enough to worry about the processes we need to control inside our own organization.
Compliance with security protocols and legal regulations like FedRAMP and SOC2 (System and Organization Controls) may not just be mandatory for your own organization. More often than not it also needs to be enforced outside your organization with all the vendors in your software supply chain. In these cases, demonstrating vendor compliance will keep your internal organization from facing fines and penalties.
But it’s not just the partners that you work with to create the end product. There are also vendors that we use to get the work done, like software, infrastructure, and services. The more organizations are using a particular software package, the more appealing an attack vector that software becomes. As a few reminders, remember Log4Shell, the MOVEit vulnerability that was exploited by ransomware operator Cl0p, or the SolarWinds attack.
Similar attacks will continue to surface time and again and if there is a lesson to be learned it’s not to rely on the security provided by the supplier, but always keep security in mind when we decide whether and how to use something provided by a third-party.
Having a complete understanding of your vendors’ security practices is an important component of cybersecurity and supply chain risk management. So, in a supply chain your security posture is definitely a selling point and can be used as such. A partner that has their security in order has every right to emphasize that.
Regardless of the varying needs based on your organization and your place in the supply chain, here are some tips that are worth considering to avoid being the weakest link:
- Make an inventory of the data you need to keep safe, along with who has access to what, in order to give you a complete understanding of your needs.
- Then make an inventory of your software and hardware products and their weaknesses. Based on that inventory, you can decide whether to use network segmentation in order to keep the sensitive data separated from the parts that need internet access.
- Use the cloud carefully. Organizations of all kinds are increasingly reliant on cloud computing. This is for good reasons, but it does complicate security, given the recent malicious targeting of cloud computing environments. So, it might be a good idea to use the cloud only for variably sized elements and have the fixed parts under your own control.
- Connect your internal team with your organization’s third-party partners and vendors. Work together to identify major risks and potential damage to your organization, as well as plans for mitigation. Make sure there is an actionable incident response plan with a clear division of roles.
- Trust is good, regular checks or constant monitoring are better. Strictly limit access to those that really need it, and deploy the rules of least privilege. Monitoring will also turn out to be helpful in case of an attack to help you backtrace the origin.
- Secure valuable assets with advanced encryption, both in storage as well as during transfer.
- Consider penetration testing and/or a bug bounty program to check your security measures. A bug bounty allows organizations to continuously test the security of their systems, whereas a penetration test is an assessment of the security level of an asset at a given point in time.
- Look at best practices. In 2021, NIST (National Institute of Standards and Technology) shared a report on best practices that can help keep you and your business safe by using its framework for cyber supply chain risk management or C-SCRM.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.