Small and mid-sized businesses (SMBs) might not rely on the complex supply chains that global enterprises operate. But many of them depend on suppliers and other business partners to stay in business, and they need to be aware of the cyber security threats that can impact supply chain security.
Ransomware can be a worrisome threat from a supply chain cyber security standpoint. It used to be that such attacks were aimed solely at a single organization. Now, attackers also go after companies that have large partner ecosystems, potentially doing a lot more damage.
For example, ransomware, such as REvil, can enter one company and quickly spread to many of its corporate customers, each of which have their own supplies and other partners, which in turn have their own partners. It’s easy to see how the impact of a single attack can be devastating.
Top supply chain security vulnerabilities
In the case of ransomware, supply chains typically have multiple vulnerabilities that make them prone to such threats. One is the use of third-party suppliers. These can range from materials suppliers to IT service providers to consultants to HVAC companies—all with varying levels of cyber security maturity and skills.
Another vulnerability is growing use of the cloud to stay connected with partners. The cloud offers potential benefits such as better agility and cost savings. But it can also create challenges in terms of visibility and access that can leave companies more vulnerable.
Also leaving companies potentially vulnerable is the digital or physical access they need to provide to partners at times. For instance, businesses need to let software vendors deliver application updates or patches.
In addition, companies for the most part can’t control the cyber security practices of all their partners. They can mandate certain requirements in contracts with vendors and suppliers, but it often comes down to trusting that partners are doing their best to keep networks, systems, and data safe.
The National Institute of Standards and Technology (NIST) noted that cyber security supply chain risks cover a lot of territory. Among the concerns, NIST said, are risks from:
- Third-party service providers or vendors—everything from janitorial services to software engineering—with physical or virtual access to information systems, software code, or intellectual property.
- Poor information security practices by lower-tier suppliers.
- Compromised software or hardware purchased from suppliers.
- Software security vulnerabilities in supply chain management or supplier systems.
- Counterfeit hardware or hardware with embedded malware.
- Third-party data storage or data aggregators.
Not surprisingly, demand for supply chain security is on the rise. An August 2021 report from Research and Markets projected the global supply chain security market will grow from $903 million in 2021 to $1.22 billion by 2026.
Best practices for supply chain cyber security
Cyber security in the supply chain can’t be viewed as an IT problem only, according to guidelines from NIST. “Cyber supply chain risks touch sourcing, vendor management, supply chain continuity and quality, transportation security, and many other functions across the enterprise, and require a coordinated effort to address,” the institute said.
Companies need to develop their defenses based on the principle that their systems will be breached at some point, NIST said. The question then becomes not just how to prevent a breach, but how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the attack.
“Cyber security is never just a technology problem, it’s a people, processes and knowledge problem,” NIST noted. “Breaches tend to be less about a technology failure and more about human error. IT security systems won’t secure critical information and intellectual property unless employees throughout the supply chain use secure cyber security practices.”
Businesses should ask several questions about their primary vendors to help decrease supply chain security risks, NIST said. Here are some examples:
- Is the vendor’s software/hardware design process documented, repeatable, and measurable?
- Is the mitigation of known vulnerabilities factored into product design and architecture, run-time protection techniques, and code review?
- How does the vendor stay current on emerging vulnerabilities, and what are the vendor’s capabilities to address “zero day” vulnerabilities?
- What controls are in place to manage and monitor production processes?
- What levels of malware protection and detection are performed, and what steps are taken to “tamper proof” products?
- What type of employee background checks are conducted and how frequently?
- How secure is the distribution process?
Companies can adopt other best practices to help them manage cyber supply chain risks, NIST said. These include incorporating cyber security requirements into all requests for proposals and contracts; working directly with partners to address any vulnerabilities and security gaps; obtaining source code for all purchased software; establishing track and trace programs for parts, components, and systems; and imposing tight controls on access by service vendors.
Managed service providers
It’s likely that many SMBs will not have the resources needed to handle all supply chain security on their own. In those cases, an experienced managed security services provider with expertise in supply chain issues can be helpful. Companies can leverage these providers to ensure that they are operating as safe a supply chain as possible and making the best use of tools, processes, and people in the effort to keep the chain secure.
Learn more about how third-party research can help you choose better security solutions.