Business ecosystems have expanded over the years, owing to the many benefits of diverse, interconnected supply chains. This has prompted organizations to pursue close, collaborative relationships with their suppliers. However, this has led to increased cyber threats when organizations expose their networks to their supply chain. It only takes one supplier to have cybersecurity vulnerabilities to bring a business to its knees. To this point, governments around the world have highlighted supply chains as an area for urgent attention in tackling cyber risk in the coming years.
Looking beyond your own perimeter
Over the last few years, many organizations have worked hard to improve their cyber defenses and are increasingly “harder targets”. However, for these well-defended organizations, now the greatest weaknesses in their defenses are their suppliers. They are typically less well-defended but with whom they are highly interconnected.
At the same time, the cyber threat landscape has intensified. Events of the past year have meant that security professionals are having to manage security in a remote working set up and ensure employees have good accessibility. They also have to handle a multitude of issues from a distance whilst defending a much broader attack surface. As a result, points of vulnerability have become even more numerous. It provides an attractive space for bad actors to disrupt and extort enterprises. Threats have escalated, including phishing and new variants of known threats, such as ransomware and Denial of Service (DDoS) attacks, as well as increases in supply chain attacks.
But where supply chains are concerned, it is nearly impossible to effectively manage this risk unless you know the state of your suppliers’ defenses and continually ensure that they are comparable to your own. Organizations must deeply understand the cyber risks associated with the relationship and mitigate those risks to the degree possible.
However, that’s easier said than done. Sending and receiving information is essential for the supply chain to function. It means the only option is to better identify and manage the risks presented. This requires organizations to overhaul existing risk monitoring programs, technology investments and prioritize cyber and data security governance.
Ensuring the basics are in place
At the very least, organizations should ensure that they and their suppliers have the basic controls in place. This includes Cyber Essentials, NIST and ISO 27001, coupled with good data management controls. They should thoroughly vet and continuously monitor supply chain partners. They need to understand what data partners will need access to and why, and ultimately what level of risk this poses. Likewise, they need to understand what controls suppliers have in place to safeguard data and protect against incoming and outgoing cyber threats. Regular monitoring, logging and regular reviews, and a baseline of normal activities between the organization and the supplier should also be established.
As well as effective processes, people play a key role in helping to minimize risk. Cybersecurity training should ensure that employees are aware of the dangers and know how to spot suspicious activity. Awareness of data regulation requirements and understand what data can be shared with whom is also important. Employees should also know exactly what to do in the event of a breach. A detailed incident response plan should be shared and regularly reviewed.
IT best practices should be applied to minimize these risks. Used effectively, IT can automatically protect sensitive data. It ensures that when employees inevitably make mistakes, technology is there to safeguard the organization.
Securely transferring information between suppliers
How do organizations transfer information between suppliers securely and ensure that only authorized suppliers receive sensitive data? This is where data classification tools are critical to ensure that sensitive data is appropriately treated, stored, and disposed of during its lifetime in accordance with its importance to the organization. Use appropriate classification, including visual labelling and metadata application on emails and documents. It protects the organization from the risk of sensitive data being exposed to unauthorized organizations further down the line through the supply chain.
Likewise, data that isn’t properly encrypted in transit can be at risk of compromise. Using a secure and compliant mechanism for transferring data within the supply chain will significantly reduce risks. Managed File Transfer (MFT) software facilitates the automated sharing of data with suppliers. This secure channel provides a central platform for information exchanges and offers audit trails, user access controls, and other file transfer protections.
Layering security defenses
Organizations should also layer security defenses to neutralize any threats coming from a supplier. The ubiquity of email makes it a particularly vulnerable channel. Cybercriminals often exploit it by posing as a trusted partner. Organizations must adequately protect themselves from incoming malware, embedded Advanced Persistent Threats, or any other threat that could pose a risk to the business.
Finally, organizations must ensure that documents uploaded and downloaded from the web are thoroughly analyzed, even if they come from a trusted source. To do this effectively, organizations need a solution that can remove risks from email, web and endpoints, yet still allows the transfer of information to occur.
Adaptive DLP allows the flow of information to continue while removing threats, protecting critical data, and ensuring compliance. It doesn’t become a barrier to business or impose a heavy management burden. Traditional DLP ‘stop and block’ approaches have often resulted in too many delays to legitimate business communications. They also have high management overheads associated with false positives.
Cybercriminal attacks set to rise
Many of the recent well-publicized attacks have been nation state-orchestrated. Going forward, this is going to turn into criminal syndicate attacks. Cybercriminals already have the ransomware capabilities, and now all they need to do is tie this up with targeting the supply chain. Make sure you have the right technologies, policies and training programs in place. It is a top priority for organizations in 2021. If you are interested in finding out more about protecting your supply chain, download our eGuide: “Managing Cybersecurity Risk in the Supply Chain.”
Titus solutions are trusted by millions of users in over 120 countries around the world, including top military, government and Fortune 100 organizations. With the addition of data identification and advanced machine learning technologies, Titus has evolved into a global leader in enterprise-grade data protection solutions.