For HomeFor BusinessFor Partners
SMB Security Ransomware Cybersecurity Awareness
8 min read

Supply Chain Security Threats - What SMBs Need to Know

Bob Violino

December 22, 2021

Supply Chain Security Threats - What SMBs Need to Know

Small and mid-sized businesses (SMBs) might not rely on the complex supply chains that global enterprises operate. But many of them depend on suppliers and other business partners to stay in business, and they need to be aware of the cyber security threats that can impact supply chain security.

Ransomware can be a worrisome threat from a supply chain cyber security standpoint. It used to be that such attacks were aimed solely at a single organization. Now, attackers also go after companies that have large partner ecosystems, potentially doing a lot more damage.

For example, ransomware, such as REvil, can enter one company and quickly spread to many of its corporate customers, each of which have their own supplies and other partners, which in turn have their own partners. It’s easy to see how the impact of a single attack can be devastating.

Top supply chain security vulnerabilities

In the case of ransomware, supply chains typically have multiple vulnerabilities that make them prone to such threats. One is the use of third-party suppliers. These can range from materials suppliers to IT service providers to consultants to HVAC companies—all with varying levels of cyber security maturity and skills.

Another vulnerability is growing use of the cloud to stay connected with partners. The cloud offers potential benefits such as better agility and cost savings. But it can also create challenges in terms of visibility and access that can leave companies more vulnerable.

Also leaving companies potentially vulnerable is the digital or physical access they need to provide to partners at times. For instance, businesses need to let software vendors deliver application updates or patches.

In addition, companies for the most part can’t control the cyber security practices of all their partners. They can mandate certain requirements in contracts with vendors and suppliers, but it often comes down to trusting that partners are doing their best to keep networks, systems, and data safe.

The National Institute of Standards and Technology (NIST) noted that cyber security supply chain risks cover a lot of territory. Among the concerns, NIST said, are risks from:

  • Third-party service providers or vendors—everything from janitorial services to software engineering—with physical or virtual access to information systems, software code, or intellectual property.
  • Poor information security practices by lower-tier suppliers.
  • Compromised software or hardware purchased from suppliers.
  • Software security vulnerabilities in supply chain management or supplier systems.
  • Counterfeit hardware or hardware with embedded malware.
  • Third-party data storage or data aggregators.

Not surprisingly, demand for supply chain security is on the rise. An August 2021 report from Research and Markets projected the global supply chain security market will grow from $903 million in 2021 to $1.22 billion by 2026.

Best practices for supply chain cyber security

Cyber security in the supply chain can’t be viewed as an IT problem only, according to guidelines from NIST. “Cyber supply chain risks touch sourcing, vendor management, supply chain continuity and quality, transportation security, and many other functions across the enterprise, and require a coordinated effort to address,” the institute said.

Companies need to develop their defenses based on the principle that their systems will be breached at some point, NIST said. The question then becomes not just how to prevent a breach, but how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the attack.

“Cyber security is never just a technology problem, it’s a people, processes and knowledge problem,” NIST noted. “Breaches tend to be less about a technology failure and more about human error. IT security systems won’t secure critical information and intellectual property unless employees throughout the supply chain use secure cyber security practices.”

Businesses should ask several questions about their primary vendors to help decrease supply chain security risks, NIST said. Here are some examples:

  • Is the vendor’s software/hardware design process documented, repeatable, and measurable?
  • Is the mitigation of known vulnerabilities factored into product design and architecture, run-time protection techniques, and code review?
  • How does the vendor stay current on emerging vulnerabilities, and what are the vendor’s capabilities to address “zero day” vulnerabilities?
  • What controls are in place to manage and monitor production processes?
  • What levels of malware protection and detection are performed, and what steps are taken to “tamper proof” products?
  • What type of employee background checks are conducted and how frequently?
  • How secure is the distribution process?

Companies can adopt other best practices to help them manage cyber supply chain risks, NIST said. These include incorporating cyber security requirements into all requests for proposals and contracts; working directly with partners to address any vulnerabilities and security gaps; obtaining source code for all purchased software; establishing track and trace programs for parts, components, and systems; and imposing tight controls on access by service vendors.

Managed service providers

It’s likely that many SMBs will not have the resources needed to handle all supply chain security on their own. In those cases, an experienced managed security services provider with expertise in supply chain issues can be helpful. Companies can leverage these providers to ensure that they are operating as safe a supply chain as possible and making the best use of tools, processes, and people in the effort to keep the chain secure.

Learn more about how third-party research can help you choose better security solutions.

 

Contact an expert

tags

SMB Security Ransomware Cybersecurity Awareness

Author

Bob Violino

Bob Violino

Bob Violino is a technology and business freelance writer covering the latest trends in the market, including cloud services, mobile technology, social media, big data/analytics and the Internet of Things.

View all posts

Right now Top posts

Are Deepfake Attacks an Immediate Threat or Future Concern for Organizations?
Enterprise Security Endpoint Detection and Response

Are Deepfake Attacks an Immediate Threat or Future Concern for Organizations?

April 23, 2024

Reframing the Narrative: Strategic Defense Against Human Error in Cybersecurity
Enterprise Security

Reframing the Narrative: Strategic Defense Against Human Error in Cybersecurity

April 18, 2024

Understanding XDR Solutions: A People-Focused Guide to Making the Right Choice
Enterprise Security Endpoint Detection and Response

Understanding XDR Solutions: A People-Focused Guide to Making the Right Choice

April 16, 2024

Bitdefender Threat Debrief | April 2024
Enterprise Security Bitdefender Threat Debrief

Bitdefender Threat Debrief | April 2024

April 11, 2024

FOLLOW US ON SOCIAL MEDIA

SUBSCRIBE TO OUR NEWSLETTER

Don’t miss out on exclusive content and exciting announcements!

You might also like

Are Deepfake Attacks an Immediate Threat or Future Concern for Organizations?
Enterprise Security Endpoint Detection and Response

Are Deepfake Attacks an Immediate Threat or Future Concern for Organizations?
Marcos Colón

April 23, 2024

Reframing the Narrative: Strategic Defense Against Human Error in Cybersecurity
Enterprise Security

Reframing the Narrative: Strategic Defense Against Human Error in Cybersecurity
Sumarlin

April 18, 2024

Understanding XDR Solutions: A People-Focused Guide to Making the Right Choice
Enterprise Security Endpoint Detection and Response

Understanding XDR Solutions: A People-Focused Guide to Making the Right Choice
Daniel Daraban

April 16, 2024

Bookmarks

loader