5 keys to protect your supply chain from cyberattacks

Cyberattacks on supply chains continue to increase as criminals and state-sponsored hackers look for vulnerable prey. As the SANS Institute points out in a recent report on successful patterns for supply chain security, a number of high-profile incidents demonstrate the importance of creating or upgrading supply chain security.

• In April, Wipro, an outsourcer for many US companies, had its trusted networks compromised and used by threat actors to launch cyberattacks on the Indian firm’s customers.
• In May, Adobe’s Magento e-commerce platform and other third-party services in more than 7,000 business applications were compromised resulting in the theft of passwords and other sensitive information from a number of companies, including Ticketmaster.
• In May, a third-party contractor exposed sensitive credentials to the internal servers of the Universal Music Group, putting at risk sensitive information stored on those servers.
• In July, the UK’s Information Commissioner imposed a $230 million fine on British Airways — 1.5% of its 2017 net sales — after a malware infection at the airline’s website and on its app diverted sensitive information of about 500,000 customers to a malicious website.

“Supply chain security became more important to CISOs about four years ago when cybercriminals started going after the supply chain as a way to getting to a main target,” explains SANS Director of Emerging Trends John Pescatore, author of the report. He says that supply chain security has gained more notoriety recently because Russian and Chinese attacks on supply chains have stoked media interest in the subject.

“Threat actors increasingly prefer exploiting the defenses of third-party vendors and subcontractors because oftentimes these entities are leaving their door ajar to hackers,” adds Armond Çaglar, a principal at the Liberty Advisory Group, a consultancy based in Chicago.

The SANS report identified five key components to an effective supply chain security program:

1. Find a supply chain security champion

Security must have a champion in the management chain responsible for supply chain decisions to ensure that security is involved at some level above greenfield, the SANS report noted. That white knight might be a board member, CEO, COO, CIO or head of procurement. Cultivating a champion requires a CISO or security manager to develop trust and credibility with management and then collaborate with them, as opposed to trying to issue security dictates.

Çaglar notes that the champion needs to be perceived as being credible by the decision-makers above him or her and should have a seat at the table with other executive stakeholders. “Without such internal political power, and when faced with traditional resource and budget constraints that plague most business units, a proper supply chain program can be relegated as just another cost-center where risk mitigation efforts will become sidelined,” he says.

Not only is it important to have a champion, but to have the right champion, adds David Dufour, vice president of engineering at Webroot, a maker of software to protect computers from viruses, malware and phishing attacks. “The proper champion for supply chain security should have a deep knowledge of security, but whose focus is not security-centric,” he explains. “They must take into account business considerations as well and develop a holistic process.”

SANS’s Pescatore acknowledges that for larger companies with a mature security posture, a champion might not be needed. “Large companies don’t need a champion as much as IT and IT security need to demonstrate they can do supply chain security at the speed of business,” he says. “Otherwise, the business side will say, ‘We’ll take the risk rather than lose market share.’”

2. Discover who all your suppliers are

The report explained that the foundation of any successful security program starts with asset management, vulnerability assessment and configuration control. You can’t secure what you don’t know is there, it noted, and if you know it is there, you must be able to detect when risk status changes.

The equivalent in supply chain security is portfolio management, the report continued. That means discovery of all supply chain partners — from Tier 1 partners to extended networks of suppliers — and regular assessment of vulnerabilities and detection of changes in exposure. That, though, can be a trying task.

“In some organizations, acquiring a new vendor can be as simple as a person using a credit card and signing up a for a service that provides a specific benefit to that person. These are decisions made every single day that do not include a security audit or advice from the security team,” observes Chris Morales, head of security analytics at Vectra Networks, a provider of automated threat management solutions.

Assessing supply chains is one of the more challenging risk management endeavors organizations can take on, adds Rick Holland, vice president of strategy at Digital Shadows, a provider of a digital risk protection solution. “A global company can easily have over a thousand firms in their supply chain,” he explains. “In the age of digital transformation, much of the supply chain consists of SaaS providers who are easier to replace than the traditional on-premises vendor. The result is a transient supply chain that continually evolves.”

“To add even more complexity,” Holland continued, “the more mergers and acquisitions activity a firm undertakes, the more complicated its supply chain becomes. All these factors make supply chain risk management a daunting task.”

3. Scale multiple supply chain risk assessment approaches

The report warned that a one-size-fits-all risk assessment approach will not work for most businesses. It explained that a mix of techniques — from rapid “first looks” to detailed, in-depth assessments — might be necessary to support business responsiveness demands and to enable more continuous monitoring of risk levels.

A common reason that the security group is bypassed, the report continued, both overall and in supply chain management, is that “security moves too slowly.” It explained that often the demands of business require business managers to accept some increased level of risk because of the greater risk of being late to market. Supply chain security programs need to provide tiered levels of assessment to support business needs, it noted.

“The security team needs to understand the business and the elements that grow the business,” says Deepak Patel, the security evangelist at PerimeterX, a web security service provider. “They need to prioritize threats based on business inputs.”

“Many security teams do move too slow,” adds Webroot’s Dufour. “They build the Starship Enterprise to get to the next solar system, when they really only need a bicycle to go to the store for cookies.”

Eric Haller, vice president for security operations at Palo Alto Networks, a multinational cybersecurity company, maintains that “moving too slow” can be a telltale sign of bad planning. “This is a symptom of security teams engaging too late in the process and not integrating their requirements,” he says. “Partnership with the business, early involvement and alignment on outcomes is the best way to avoid slowing down the business.”

Automation can be another way to avoid slow-downs. At Gett, a global ride hailing service based in the United Kingdom, supply chain security was addressed by deploying an automated solution by Panorays, which also sponsored the SANS report.

“The company needed to recognize that a new system was in place, and it was mandatory to go through a security vetting process in order to work with a vendor,” explains CISO Eyal Sasson. “However,” he continues, “after a month of using the solution we implemented, the employees did not feel that there was a hiccup in their process, considering the speed that an automated solution provided. The platform just became an integral frictionless step of the whole vendor onboarding process.”

4. Extend dashboards and reporting to business units and IT managers

The report recommended that supply chain security processes and tools be used to provide visibility into current risk views to non-security personnel and enable them to incorporate risk information in their decision-making. It noted that security systems should be integrated into any existing processes for rating the financial or viability risk of suppliers and partners. If no systems exist, it continued, then the supply chain security reporting visual style or data should be as similar as possible to what procurement, logistics and business operation managers are familiar with.

“We hear this often, but it is certainly true: Security is not an IT problem. It’s a general business challenge requiring the acceptance and involvement from stakeholders across the enterprise,” LAG’s Çaglar says. “Business units tend to be responsible for the management of the vendors providing outsourced services on their behalf,” he continues. “Dashboard accessibility to individual business units can yield valuable data on riskier vendors where potential areas of highest inherited risk are presented for action.”

“This can allow business units to insist upon the adoption of certain technical or administrative controls as a condition of continued business with the vendor, or even as leverage in the potential renegotiation of service-level agreement terms,” Caglar adds.

5. Close the loop with vendors

Manufacturers learned long ago that weeding out low-quality suppliers alone wasn’t a prescription for a successful quality control program, the report explained. They realized they had to “close the loop” — provide feedback to encourage all suppliers to adopt higher quality processes.

That’s also true for supply chain security programs, the report continued. An effective supply chain security program must include feedback to vendors and visibility into the results of assessments and ratings to remediate open issues and drive improvement overall.

The report reminded business leaders that when attacks against supply chain partners succeed, customers blame the business, not the supply chain. Most direct attacks against the supply chain can be foiled through basic security hygiene, it noted, with one critical additional factor. Supply chain security programs need to incorporate flexibility so they can operate at the scale and speed at which procurement decisions are made.

The good news, it added, is that supply chain security is high on the list of priorities for many boards of directors and many customers. By demonstrating a strategic approach to improving or creating your supply chain security program, it added, security managers can gain support for the changes necessary to make meaningful and efficient increases in supply chain security.