Usually, when people hear about cybersecurity and data breaches, they think of high-profile attacks that have made global headlines in recent years. However, supply chain cybersecurity issues often don’t get much attention, yet the stakes are high due to all of the interconnected players: from transportation and distribution, to procurement and manufacturing.
With supply chain, all of these players have different networks that need to communicate with each other, but they might have different security policies or be using legacy equipment, for example. Also, with an increased focus on the Industrial Internet of Things (IIoT) for supply chain management, supply chains and manufacturing assets have become a target for malicious hackers who could, for example, access your network through an office printer.
You Must ‘Assume Breach’
Thinking of supply chain from end-to-end in terms of security standards, integration, policies, and best practices often seems to be stuck in the status quo of years ago – so things like compliance, for example, are no longer an effective cybersecurity strategy. Even firewalls are no longer as effective as they used to be thanks to cloud adoption, IoT products and mobile devices.
The reality is that cybersecurity has almost quietly become the great equalizer and we’ve all been in – or will be in – the crosshairs of a breach. It’s the simple truth and is actually what is called an assume breach mentality, where it’s a case of ‘when’ and not ‘if’ get breached. That’s a major, critical shift in overall strategy and approach from years past.
Flat Networks Are Good… and Bad
Networks have become what the industry calls ‘flat’ – think of your network as east-west, where applications and data are on a level playing field and are all talking to each other, sharing information, and making everything more efficient because of it.
However, there’s a catch – the strength of a flat network is also its weakness. They are hyper-connected, so it’s become easier for cyber-criminals to sneak into your network through something as seemingly inconsequential as a printer, and move around laterally – sometimes going unnoticed for months and months – until the attackers reach the high-value assets they’re after.
Five Steps to Assessing Your Cyber-Supply Chain
The flattening of the IT world has led to the creation of the cyber-supply chain – one with several moving parts that need to be secure. Here are five initial steps to ensure your cyber-supply chain is in good order:
- The first step is an absolute must: prioritize! Gather together all key stakeholders and identify your organization’s high-value assets – you’d be surprised by how many companies don’t know what they are or how to prioritize them
- Evaluate how your cyber-supply chain is connected or related to these high-value, ‘crown jewel’ applications – what current security measures are in place and where?
- Identify partners/vendors who have direct – or almost direct – access to your network or data center (i.e. what specific applications) and to what extent
- Assess the cybersecurity policies and strategies of third party teams that handle sensitive data to understand if/how they store, manage or manipulate it and within which environments
- Identify potential solutions that are available and consider segmentation technology, which falls in line with an assume breach mentality by compartmentalizing and isolating threats once they’re inside the network
Once you have gone through this checklist, determine what is the best way to audit your suppliers and vendors. There are several standards out there with ISO 9000 being the most widely known to define, establish and maintain an effective quality assurance system.