You Had Me at Supply Chain Cyber Security
As Valentine’s Day rapidly approaches, one of the best gifts your organization can give your partners is to increase your focus on supply chain cyber security. Why? Supply chain security planning is a gap in many cyber security programs and is cited as one of 2023’s top cybersecurity threats by Gartner. With criminals leveraging supply chain cyber security vulnerabilities to worm their way into every integrated partner and connected environment—one breach can create a domino effect and result in hundreds or thousands of breached environments.
2023 supply chain data breaches have already begun. We’re not even 45 days into the new year and Google Fi’s cell data compromised by a supply chain vendor breach (which many believe was T-Mobile) that has enabled SIM swapping attacks. In addition, the US No-Fly List was also reportedly compromised through a third-party airline’s misconfigured server. But let’s not forget what caused the most extensive supply chain breaches of all time—the Log4j vulnerability. This left organizations such as SAP, Apple, Tesla, VMWare, Cisco and many others scrambling to patch their software and roll out patches to fix vulnerabilities in their products. The Log4j exploit is an example of an especially concerning vulnerability since it is a commonly used Java-based logging library that is incorporated into many software programs—you may not even know if the products or software you use are impacted unless your supplier or partner tells you.
Log4j Pushed FTC to Crack Down on Security
The consequences from supplier exploits increased after the historic Log4j supply chain impacts. The FTC warned that organizations MUST take reasonable steps to secure customer data from Log4j and other known vulnerabilities or face potential legal action. In today’s digital world where every organization uses myriad software programs, web apps, and cloud platforms—and may even directly integrate with partners’ systems—partners and vendors are a crucial part of every organization’s cyber security. Supply chain cyber security is like a paper chain of hearts—each connected piece is dependent on the others.
Reduce Your Supply Chain Cyber Security Risks
Due to the interconnected nature of the supply chain, we all have to work together to reduce supply chain risks. So how can you limit your organization’s exposure and the risk to your partners?
- Start with an inventory of what partners have access to your environment and the software and/or systems your organization uses. You can’t secure your environment until you understand your exposure.
- Limit access. You can cut down on your work and your supply chain cyber security risks by limiting suppliers’ access to your IT resources and sensitive data. Often, suppliers have more access than they really need and consequently pose more risk to your organization than necessary. Conduct a review of supplier access at least annually, and limit access to the minimum necessary for them to get the job done.
- Establish clear, documented standards for your own organization and your suppliers. Common frameworks such as ISO27001 or the NIST Cybersecurity Framework are excellent starting points for establishing baseline standards. You can also download this supply chain security checklist to help provides a framework for your program.
- Delegate cyber security requirements to vendors in your contracts to ensure mutual understanding and commitment. Also, when necessary, document requests for improvements and set a deadline. Make it a contractual requirement that ALL your vendors and partners provide you with timely notice if they are impacted by a breach or a major exploit.
- Vet your vendors routinely, both during the new vendor selection process and at regular intervals. Ask your suppliers/prospective suppliers about their security and ensure that they meet your standards.
- Ensure that your suppliers are actively vetting their supply chain (fourth- and even fifth- party risks are real and have led to many data breaches and cyber security incidents). The NIST Cybersecurity Framework includes a subsection for supply chain risk management (ID.SC); suppliers that use this as their controls framework will have a good foundation for implementing their own vetting programs.
- Involve key suppliers in your response planning. Establish a strong understanding of the cyber security processes for each of your key suppliers and create joint action plans in case of an exploit or incident. This process can identify and close potential gaps, as well as provide a framework that speeds response in case there is an incident (you could even involve them in your tabletop incident response exercises).
- Get vendor buy-in on standard software vulnerability management processes, such as critical software patches. As criminals target supply chain cyber security weaknesses, limit your exposure with a strong patch and update management program. Quickly applying security updates can decrease your risk of supply chain software breaches.
Successful Vendor Vetting, One Step at a Time
Vetting your vendors can seem like a daunting challenge, but by taking an efficient, methodical approach you can make it manageable. Whether you conduct vendor vetting in-house, outsource it, or automate it with the support of software programs, this is a crucial part of reducing your risks. Remember: aim for progress, not perfection. Focus on documenting your processes, creating templates, and establishing more consistent vendor security review routines. Here are a few key tips for breaking the problem down into manageable pieces:
- Assign responsibility for vendor vetting to one individual or team. Ensure that there is a point person or team responsible for documenting, overseeing internal and external communications, reviewing responses, and determining next steps for your program.
- Prioritize vetting your suppliers based on their access to your sensitive data and/or network resources. Identify suppliers that store or process sensitive data on your behalf or have a high degree of access to your IT resources. Focus on vetting these organizations first.
- Establish a standard cyber security questionnaire. This will streamline your process and ensure you get the information you need to make informed risk decisions.
- Set a clear timetable for vendor reviews and responses. Remember, it’s not enough to review a supplier once—you need to regularly check your supplier’s risk profile, especially since the cyber security threat landscape is constantly changing.
- Give your suppliers a deadline for notification and response so that you can coordinate your own response and public relations efforts. Ensure that your responsible person/team tracks and follows up with all notifications.
- Request third-party security assessments. If you’re pressed for time or resources, some suppliers already undergo their own third-party security assessments. This is particularly true of suppliers that support customers in highly regulated industries, such as healthcare or financial services. Proactively ask to see summaries or evidence of annual cyber security reports, such as penetration testing results, risk assessments, SOC-2 assessments, etc. If the supplier cannot or will not provide a report, or at least a summary/letter of attestation, consider that a red flag.
- When a major exploit is announced (like Log4j), proactively check with your high-priority vendors to ensure they are applying the appropriate updates. Read this article on patch management for more details and advice.
This February, show your customers and supply chain partners some love by strengthening your supply chain cyber security. We hope you found these tips helpful to start or grow your supply chain security program. With supply chain attacks offering the opportunity to breach numerous environments, criminals will continue to seek and exploit this method of attack.
Contact us if you need help creating strong supply chain cyber security policies or vendor vetting programs. Our expert team can help ease your workload and ensure your policies incorporate the latest best practices for a wide range of cyber security services.