Business continuity is an integral component of any risk management professional's responsibility. With that concern should come a serious inspection of your enterprise's supply chain. Effective risk assessment can only be completed by analyzing the organization's third-party vendors and a frank evaluation of supply chain risks. Only with the knowledge of the realistic security risks you face can you implement some supply chain security best practices with any measure of success.
Where many corporations need to catch up is in the area of software supply chain security. Many risk management employees need to be cybersecurity or information security experts, and they approach their duties from a traditional enterprise risk management perspective. Additionally, your IT security and cybersecurity staff may have a different approach than a risk management expert. This could cause them to overlook upstream risks if the end product appears secure or effective. These factors combine to result in glaring gaps in your security posture that can lead to sensitive data loss and supply chain disruptions.
It isn't just within the software space that a security breach presents a threat to sensitive data. Across your supply chain, the risk of sensitive data presents itself in many forms. In this article, we will look at some of the major threats facing supply chain security efforts. We'll give you some best supply chain security practices to help with data loss prevention and incident response.
Data Locality, Visibility, and Governance
Critical data is present in so many tiers within your supply chain, and you must effectively locate, identify, and ensure its protection everywhere. With sectors like the financial industry or healthcare space, there are multiple enhanced regulatory requirements that you also have to abide by. Compounding that difficulty is that many of the vendors in your supply chain require access to that data. That is the visibility aspect, and you have to tightly control access to the data by restricting it to those with a true need to further business operations.
When it comes to governance, we're referring to who has control over this sensitive data and the ability to decide to who and under what circumstances it is disseminated. The party responsible for governance is also responsible for determining how best to secure the data and setting restrictions and requirements on security protocols for access to said data.
Complications Born of Technology
At this point, anyone in risk management should be familiar with the SolarWinds breach. It was one of the most devastating cyber attacks in history. It capitalized on upstream capable software to compromise the systems of international corporations and even U.S. and European governments. Third-party software security risks are real, and failing to account for them can cause major supply chain disruptions, not to mention the associated costs of decontaminating and reconfiguring affected systems.
Supply chain attacks such as this one are so effective because the security incident likely will not even occur within your network, increasing the difficulty in detecting it. SolarWinds, in particular, took over nine months to be discovered, compounding the cost substantially. While technology complicates mitigating supply chain risk, there are ways to leverage emerging tech to secure your supply chain better. The trick is to find the balance.
Supply Chain Security Strategy Best Practices
With some of those concerns in mind, what supply chain security best practices can be employed to protect your enterprise better?
Implement Access Inventory Strategies
Most organizations are proficient at monitoring their inventory of assets. It would be hard to remain profitable otherwise. Data and asset access are often overlooked important aspects of inventory. What we mean by that is tracking who has access to your data and other assets, at what level, and for how long. You must accurately track these data security metrics to increase visibility and security. The best practice is to develop tightly-controlled, temporary parameters for access and reevaluate those parameters for each third-party vendor at set intervals.
Make Third Party Risk Management Procedures Contractual
We've seen increasing trends of financial and personnel investment in cybersecurity, but that alone will not shift your security posture. Incorporating supply chain security requirements and cybersecurity strategies as a cornerstone of your contracting procedures will make a substantial difference. This is your opportunity to ensure that your vendors and other third parties comply with the security protocols you expect.
Requiring regular assessments and establishing notification procedures, mandating penetration testing for those holding sensitive data even temporarily, adherence to regulatory compliance frameworks, and even setting forth incident response plan standards are all things that can be included in contracting. This makes your position more secure and sets the tone for your partners by showing that you value your sensitive information and supply chain security high enough to create contractual terms around it.
If you want to make this process even more effective, this is the perfect time to make your data loss prevention efforts a collaborative mission. Supply chain disruptions can come from many vectors, and by developing a collaborative working relationship with your nth parties, you stand a better chance of shoring up everyone's position. A secure third or fourth party is one less attack vector for a bad actor to attempt to exploit in an effort to breach your network.
Encourage communication and information sharing between security teams. Minor incidents for one party may result in closer scrutiny being applied to actions at another and thwarting a more complicated supply chain attack. Mutual risk assessments are also a valuable tool to allow both parties a sense of security within the business relationship and foster a sense of openness between the parties.
Avoid Supply Chain Chokepoints
As a part of your regular assessments, you may have come to depend on one specific vendor for several critical services. This presents a risk that many enterprises are willing to bear for many reasons, whether familiarity, streamlining, or something else. You should leverage some of the other best practices we mentioned to spread that risk to new partners. Some collaborators may have other sources for the goods or services you require.
We discussed the importance of locating and identifying sensitive data and those with access to it earlier. However, once you have that information and have limited access appropriately, the job still needs to be done. Applying encryption to all sensitive data is the first step we recommend, but the best practice is to abandon non-secure forms of communication like phone, fax, and others entirely. A wholly encrypted and secure method of communication ensures that all traffic sent through the network remains secure. This eliminates yet another attack vector for cybercriminals.
Penetration Testing and Incident Response
These supply chain security strategies are beneficial but are only worth a little if they are never tested before a true security incident. Penetration testing by an outside entity gives you a realistic assessment of the cybersecurity controls that you have in place. No one can better assess the effectiveness of those programs and policies than someone tasked with breaking into the system, and it's better to do that with someone you are paying to do so instead of waiting for the real thing.
In addition, continuously adapting, evaluating, and reassessing your incident response plan is another supply chain security requirement. The best practice in this instance is to bring your third parties into the process. Notification should be made as early as possible in order to limit the extent of any partners' exposure, and they should assist in all investigative and forensic aspects of the security incident.
Vendor risk management is one of our primary missions at Venture Lynk Risk Management. We possess the industry expertise to take your third-party risk management program to the next level. Whether you need assistance in conducting risk assessments, continuous monitoring, or a complete vendor management package, we offer all those services and everything in between. We can tailor a custom package to fit exactly what you need or help you figure out where your biggest vulnerabilities are. Our cybersecurity experts can even assist you in implementing some of these supply chain security best practices.