5 considerations for a secure supply chain

Your supply chain is the new weak link in your organisation’s security.

As primary targets have improved their cybersecurity operations, threat actors have been driven to search other places for the low-risk and high-reward opportunities they desire. We’ve seen a growing focus by cybercriminals on supply chains, where security cultures may not be as dynamic, mature, or well-funded. For the first time ever, the Business and Professional Services have made our top 5 most attacked sectors, ranking third overall.

This means that a company’s security perimeters no longer end at their own firewalls and must begin to consider that of their partners and suppliers. Today’s interconnected world has created many new opportunities for companies, but also more entry points for criminals to try and gain access. Hence, we’ve seen a growing focus on supply chains, where security cultures may not be as dynamic, mature, or well-funded.

Supply chains offer more opportunities, particularly in the business and professional services sector: for example, breaching a lawyer’s systems can enable a cybercriminal to gain access to details about many different customers, not to mention other sensitive data that would otherwise sit behind a company’s more formidable defences.

NTT Security’s Global Threat Intelligence Report supports this, with business and professional services ranked third globally (10% of attacks), third in the Americas (9% of attacks) and a staggering 20% of attacks in EMEA. Moreover, the new framework for infrastructure security from US-based National Institute of Standards and Technology (NIST) places significant emphasis on supply chain security as a recognised and growing target for adversaries.

Supply chains are becoming attractive targets, for several reasons:

●       Companies often don’t regard supply chain security as their problem.

●       Policies implemented at companies often don’t reflect on the broader supply chain.

●       Smaller companies may lack the means and incentive to invest in security.

●       Supply chains expand the potential number of user targets, who are often undereducated about security.

●       Services companies in particular have access to the information of multiple businesses.

Here are five considerations towards securing your supply chain

Agile businesses do need an agile supply chain. However, a non-secure supply chain stunts the growth of a progressive company. These issues are compounded by a lack of visibility and control. As much as a company’s ecosystem extends to its service partners, it’s not as simple to extend policies and other controls to that level.

So just how do companies ensure their supply chains are secure? Here are five considerations:

1. Ensure suppliers follow the appropriate security standards. But this shouldn’t be treated as a compliance checkmark. It’s imperative to improving their business and should be part of the company’s strategy. For extra assurance, have the results vetted by an independent body to validate the findings.
2. Liaise with suppliers to increase visibility and create active threat intelligence. Supply chain companies should form part of your security culture, as an extension of your intelligence-sharing capabilities. By establishing a healthy rapport regarding security, companies can often pre-empt adversaries and vastly reduce the impact of an attack.
3. Expect suppliers to implement a comprehensive security strategy. Don’t forget that their core business is not necessarily your core business and their requirements will be different. That said, if you have a supplier that’s complacent about security, they represent a threat to your business.
4. Routinely vet suppliers’ security and cull companies that refuse to modernise. A supplier that takes security seriously and approaches it cooperatively has a distinct competitive advantage. A single successful breach could destroy years of cooperation and goodwill in the blink of an eye.
5. Assign leaders who can articulate the risks to both business and IT. Perhaps the strategy calls for a risk-based technological journey and it may sit with the CIO or CISO. Chief Risk Officers are also popular candidates for security-related issues. Whoever leads the change will have to stand alongside partners as they implement change on their side and communicate effectively with business and technology owners.

No business operates in isolation or remains tucked behind a fortress’ walls anymore. From a security view, companies must regard their supply chains as an inextricable part of their environments. Threat actors know this and they’re moving against soft targets. A uniform security strategy, where all parts ─ people, processes and technology ─ move in harmony, is paramount. Act first to secure your supply chain and its wealth of relationships and experience.

What next?

Read our Executive Guide to learn more about other cybersecurity trends highlighted in the Executive Guide to the NTT Security 2018 Global Threat Intelligence Report.

Dimension Data employs the best and brightest cybersecurity experts in the world, but we’re always looking for new talent to join our team. Take a look at some of the current cybersecurity opportunities at Dimension Data.