Supply Chain Risk Management: Best Practices For Improved Cybersecurity
Melissa Stevens | April 7, 2016
This is a two-part blog post. First, you'll discover supply chain risk management best practices for improved cybersecurity. In the second part, you'll read on to uncover 4 ways to address your cyber risk.
There are two distinct categorizations that you’ll need to consider when it comes to supply chain risk management:
The software, hardware, and technology providers.
Third-party business associates, contractors, and vendors.
In order to address cyber risk in the supply chain, there are some common practices that apply to all your vendors. Below, we’ve outlined seven of those practices between the two categories mentioned above.
(The first step is important for both the technology side and the vendor side of things.)
1. Bring together your internal team.
Before you get started, you’ll want to gather together all of the different folks who have a hand in these topics. This could be team members from vendor risk management, mergers and acquisitions, IT and IT security, legal, and more.
Supply Chain Risk Management For Software, Hardware, & Technology Providers
2. Identify critical suppliers.
The team you’ve assembled should all play a role in establishing and creating your organization’s security expectations of a third-party software provider. You will want to understand what risks are being posed and properly convey your expectations and requirements to your software vendors.
To truly ensure a strong cybersecurity posture, you need to be able to identify which types of applications you consume from third-party providers and how you ensure that those providers are taking reasonable measures to reduce the number of vulnerabilities in their software. This is critical, because as you know, software can be written sloppily—and when there are errors in the code, you open the door for exploitation.
Thus, your goal should always be to purchase the software with the fewest number of known vulnerabilities. One way you can do this is by using a Secure Development Lifecycle (SDL) process, which can be manual or automatic. When a software developer writes code, this process is used regularly to see if vulnerabilities are intentionally or unintentionally being inserted into the program.
3. Scan the code for known vulnerabilities prior to deployment.
Before rolling out a new software application, you’ll want to make sure it’s been scanned. Skipping this step can leave the door wide open for hackers to take advantage of a vulnerability that wasn’t properly addressed before it was deployed on your network.
Supply Chain Risk Management For Third-Party Business Associates, Contractors, & Vendors
4. Determine what kind of access your vendors have.
Organizations with a large number of vendors inherently have more possible entry points into their networks. So you need to be aware of which third parties have either access to your most sensitive data or direct access into your corporate network. These critical vendors should be closely monitored to ensure they’re meeting the security standards you’ve outlined in your contractual agreement (which we’ll discuss below).
5. Assess your vendor’s efforts to protect your organization and data.
If your organization hires a law firm to take care of a sensitive matter, you should care about their cybersecurity, because they’ll have obvious access to sensitive data. You’ll want to know what they’re doing to protect their network from intrusions as well as what they’re doing to protect your data as it’s being handled and reviewed on their network. (Remember, not all of your critical vendors will be as obvious as a law firm handling sensitive information! Thus, it’s imperative not to skip best practice #4.)
6. Build in contractual language for how your data should be handled and secured.
Again, this is a critical step. Discovering that you used simple or non-specific language in a vendor contract after your vendor is breached is the wrong time to worry about this. Be sure to create legal documents that explain exactly what you expect of your vendor, how they should handle your data, what they should do if a breach that affects your information does occur, and more.
A Final (& Critical) Step
7. Continuously monitor your vendors and technology providers.
You can follow every best practice in the book for supply chain risk management—but you need to be able to ensure that third parties are following through with their security obligations or that your software providers are updating their system regularly. Continuous monitoring software solutions provide the most effective way to ensure that your vendors’ systems are in check and easily follow up on potential risks or vulnerabilities on their networks.
Part 2: Supply Chain Risk Management: 4 Ways To Address Your Cyber Risk
Handling cyber risk in your organization’s supply chain isn’t easy. This aspect of Supply Chain Risk Management is a complex problem that even highly sophisticated organizations—like the Department of Defense—struggle to address.
But while finding a silver bullet solution to eliminate your organization’s supply chain vulnerabilities may be out of the question, managing those cyber risks is still possible.
Managing Cyber Risks in Your Supply Chain
Before we get to some solutions, it’s important to understand what cyber risk means to supply chain risk management.
Organizations have been managing risk to their supply chains for decades. Traditionally, this meant finding ways to limit the impact of extreme weather, fires, earthquakes, labor strikes, or other unforeseen hazards associated with running global business operations.
In recent years, the traditional concept of supply chain risk management has expanded to include cybersecurity and cyber risk. The need to incorporate cyber into supply chain risk management is clear: cyber incidents can affect the products or services upon which organizations rely, causing direct business harm.
Managing cyber risk to your supply chain is the process of identifying and mitigating cyber risks affecting the hardware, software, or services that you purchase, acquire, or use from third parties, in order to reduce the cyber risk of your own organization.
For instance, a cyber incident affecting an important manufacturing facility could result in machines being operationally disabled or the theft of sensitive intellectual property. A cyber incident affecting a critical software or hardware vendor could introduce new vulnerability into your organization.
Hardware & Software
Any company that sells a product using hardware or software knows how important it is to test products before they hit the market. But, that’s not always easy or possible. Most organizations outsource the creation of components for hardware and software, so they aren’t able to oversee the production process personally. So how do you gain confidence in your vendors’ development processes and have complete assurance that they’ve created the parts you need with good intentions in a secure facility? You don’t.
For example, let’s say I’m the president of a cell phone company. It’s less expensive for me to get my hardware—chips, wires, circuits, and other components—from a company overseas. As such, I do not oversee the production process of the hardware for my phones.
They are all sent to my production facility, where they are assembled. Again, I don’t oversee that process. The phones I create are smart phones, so once they’re on the market, I let third parties create applications and sell them to other phone users.
Since I don’t have a hand in creating these applications, how do I (and those who have purchased my phones) know that the developer hasn’t rigged the application to steal personal data and information from the phone’s owner?
All of these issues are called supply chain vulnerabilities, which are managed through supply chain risk management.
Aside from hardware and software, supply chain vulnerabilities also need to be managed for “overall services.” These services typically refer to companies that are working under contract for your organization,and have access to (or are interacting with) sensitive data. These companies are considered critical because they have a deep level of access into your organization’s networks, so they may pose a security threat.
For example, if I owned a large financial institution, I might have 15,000 vendors, but only 5,000 who were considered critical. I would take more caution with these critical vendors. Specifically, I would send out questionnaires, perform penetration tests, and use continuous monitoring tools to monitor real-time security incidents. I’d want to do everything I could to ensure my data was secured appropriately so my network wasn’t breached.
4 WAYS TO ENHANCE THE CYBERSECURITY OF YOUR SUPPLY CHAIN
1. Assess the cyber risk posed by vendors in your supply chain.
Not every component of your supply chain poses the same level of risk. Vendors who have access to sensitive data or the corporate network should be treated differently from others. Determining which vendors are critical to your business is an important step in managing cyber risk.
While eliminating cyber risks from critical vendors’ vulnerabilities is impossible, you can implement methods to manage risk. Developing a vendor risk management (VRM) program is a step in the right direction. VRM programs typically utilize:
Surveys: Surveys can help you get a better look into your vendors’ manufacturing systems. You can ask them questions that may lead you to better understand whether your product has been built securely, and find out more about their process of identifying and mitigating common vulnerabilities.
Penetration tests and on-site visits: These measures offer better insight into the security of your vendor, but only for that moment in time.
2. Review your contracts to ensure your vendors have security obligations to you.
If you are in the beginning phases of finding and contracting out to vendors, make sure your contracts are written to include the cybersecurity obligations that are necessary for you and your organization.
If you’re beginning your supply chain risk management program after you’ve onboarded the majority of your vendors, this step is particularly crucial. Gather the contracts of each vendor client, sit down with your legal team, and be sure that each vendor has a legal obligation to report any security breaches that are outside of industry compliance laws. For example, if your vendor is breached and millions of card numbers are stolen from you through your vendor, they have a federally charged legal obligation to report it. But, if your vendor is breached and one of your trade secrets is stolen, they technically aren’t obligated to share that information with you. That’s why including language about security obligations in your vendor contracts is crucial.
3. Monitor the security of your strategic vendors.
Identifying which vendors have access to your organization’s network or sensitive data is absolutely critical. The best cautionary tale that deals with this issue—particularly as it pertains to vendors who perform general services—comes from the 2013 Target breach.
Target wanted to hire a company to check the cooling of their refrigerators nationwide. With more than 1,500 stores, Target wasn’t interested in having someone come out and physically inspect the machines; rather, they wanted it done digitally. They hired Fazio Mechanical Services, an HVAC company headquartered in Pennsylvania, and gave them broad access to their network so they could monitor the refrigeration units. Though they were simply monitoring refrigeration units, Fazio’s significant level of access made them a “strategic” vendor to Target, which made Fazio a “target” themselves. Attackers breached Fazio’s network, and then used it to break into the Target network. More than 100 million Target card and credit card numbers were stolen because of this breach.
This is a perfect example of the catastrophic impact that can result from an insecure supplier. By limiting network and data access and monitoring the security of critical vendors, an organization can reduce the likelihood that a Target-like incident will occur in their supply chain.
4. Review your software and hardware vendors.
Every organization is dependent on software and hardware vendors, and it is not easy to assess the risk posed by these vendors. Solutions for managing cyber risks from the supply chain range, depending on the size and scale of your organization.
If you want to better understand whether your hardware or software vendors pose a security threat, these innovative tools may be helpful:
Veracode is a cloud-based technology that helps test the security of applications developed by third parties.
Safecode is a nonprofit organization that offers best practices for enhancing the security of software development processes. You can check to see whether the software developer you are purchasing from is a member of the Safecode alliance.
OTTF (Open Group Trusted Technology Forum) is in the process of creating an international standard for secure software development and supply chain risk management, with the goal of having auditable standards in the years ahead.
You should also be sure that you repeat these steps any time you onboard a new vendor, which many organizations do regularly. In order to ensure that your third-party vendor risk management program is secure, you’ll need to constantly be repeating steps 1-4.
If you want to reduce the amount of time you spend repeating this process, we suggest putting a continuous monitoring and security performance management solution—like BitSight—in place. This way, you’re able to make data-driven decisions about your cyber security supply chain vulnerabilities. We’re confident that if you follow this process, your supply chain risk management program will benefit exponentially.