Supply chain attacks aren't anything new, but threat actors continue to find new ways to breach networks. The 2013 Target breach and more recent NotPetya, Trisis, and Wipro compromises serve as not-so-gentle reminders that supply chain attacks are damaging and costly and present many risks to both businesses and their suppliers.
In the past 20 years, we've also seen a significant movement to disperse supply chains outside national borders. With this globalization comes many supply chain risks—risks that go beyond just cyber attacks and demonstrate a need for stronger operational resilience.
The fact is, the more secure an organization is, the more attractive its supply chain becomes to attackers. Attackers want to find the easiest pathway to get into the network, so often it's the supplier who has an exploitable vulnerability that can get them full access into the original target's network.
If a company is not protecting its own network against basic threat actors, doing its due diligence to properly patch, and holding its suppliers accountable for securing their own networks, it has no hope of protecting against nation-states or more capable threat actors. This is where third-party testing comes in handy to trust and verify your suppliers.
Organizations must know what's in their firmware and ensure there are no counterfeit hardware components. They need to verify what they cannot trust, including components from a third party. Even if you trust a vendor, there's always the possibility of a compromise farther up the supply chain. To combat this, take a holistic view of the entire supply chain and try to identify the weakest links, rather than only focusing on one risk to manage.
Here are eight steps you can take to build a supply chain security program:
1. Know your suppliers and look upstream as well as downstream. Start with your tier one suppliers and then identify tier twos and others. Take full inventory of who you do business with so you can identify any weak links.
2. Conduct a risk assessment. Once you've identified all your partners, properly assess each one's cybersecurity posture so you know the risks they may pose to your organization. You must consider where each device or component was built and who exactly built it. Is there a possible backdoor or counterfeit part? Or is it just the more-likely software quality issues that can result in a breach?
3. Utilize third-party testing. Hire a third-party firm to test your systems, and those of your suppliers, to provide actionable results on what you need to fix first.
4. Scan and patch all vulnerable systems. Do this regularly.
5. Teach employees about the importance of using strong passwords. Also teach them not to recycle passwords across accounts.
6. Ensure your staff has set up multi-factor authentication everywhere possible.
7. Conduct regular security awareness trainings. Teach employees how to identify phishing scams, update software, and become more security-conscious.
8. Harden the security of the devices connected to your networks.
Consider all potential disruptions and ways to build and design your supply chain to keep it operational in the face of foreseeable and unforeseeable challenges. If the suppliers you deal with directly are required to have a supply chain security program and they expect the same of their suppliers, this will create a far more resilient supply chain of higher integrity.