Contact Us

Supply chain
security:
Considerations for
risk management

Author: Shane Schick

As organizations become more digitally connected to their vendors, partners and other third parties, they are quickly discovering that they ignore supply chain security at their peril. Supply chains connect manufacturing companies with logistics firms, transportation providers and others to get products and services onto our store shelves, and poor supply chain cyber security can break the chain.

Supply chain security risks at a glance

Data sharing and other connected-collaboration is common between players in a supply chain, and these activities bring inherent risk.  Everything from malware, ransomware and denial-of-service (DoS) attacks to a simple application being compromised can be used in a supply chain attack.

The interconnected nature of the firms in a supply chain means attackers may only have to exploit one weak link in order to have far-reaching effects across multiple enterprises.

Supply chain cyber security attacks hit high-profile organizations

The importance of cyber supply chain risk management and supply chain security became readily apparent last year following an attack that affected customers of a provider of networking tools called SolarWinds.

As reported by CSO Online, criminal actors managed to compromise a plugin associated with a SolarWinds product that allowed them to steal and use credentials. This allowed them to subsequently breach the network security of many different entities using the SolarWinds product, including cyber security software vendor FireEye.

In May, meanwhile, news outlets including ZDNet reported that a ransomware attack forced Colonial Pipeline to shut down pipeline operations entirely. This disrupted the flow of fuel such as gasoline, diesel and home heating oil far down the supply chain.

Cyber supply chain risk management considerations

Supply chain security requires thinking holistically about cyber supply chain risk management, what can be done to bolster security through technology, any changes to business processes, and how people are trained and supported.

Mitigation starts with some technology basics, including making sure all those participating in a supply chain are using safeguards such as two-factor authentication, biometric access controls (where permitted or applicable), and security and incident monitoring tools.

Cyber criminals have also been known to target potential weaknesses in open-source software, so applications based on that kind of code should be tested regularly and monitored closely. The design process for any vendors should be well-documented, and vendors should be able to provide details on how they address vulnerabilities such as zero-day threats.

Process considerations could include making sure to remove network access to third parties once a contract has been completed. Regular server and network audits should be conducted to ensure admin and access policies are up to date and being enforced.

It may be necessary to revisit or reconsider device use policies, such as bring your own device (BYOD). These can be a popular attack vector for malware and phishing schemes. Employees may also need to be given direction on how they should connect to the network, such as via a virtual private network (VPN).

How partners can bolster supply chain cyber security

Maintaining supply chain security is a team sport. There should be clear roles and definitions of responsibility among everyone involved. This might include determining who will detect any security issues, who will need to assist with recovering data and who will be managing the overall response plan.

This can become incredibly difficult for organizations to accomplish on their own, given the regular work that goes into running an effective supply chain. Managed service providers can not only help to fill the gaps but provide value across multiple areas.

Companies might turn to managed service providers to assist with ongoing threat intelligence and cyber supply chain risk management, for example. Such firms also have deep expertise in mitigating cyber security attacks when they happen, which can help to minimize any financial or other damage. Finally, managed service providers can act as an extension of the team to make sure supply chain security remains a top priority.

Learn more about how the right supply chain security technology can help your business.