A new wave of cyberattack is emerging which lies within the supply chain network of many organizations. New not in terms of novelty but in terms of conversations and methods currently in use. The supply chain is an integral part of every organization’s business, it cuts across the organization's boundaries either from the demand side or from the supply side. For instance, most organizations use third party software or hardware, work with third party vendors and suppliers. All of which extends the organization’s “attack surface”. It has been reported that about 80% of all information security breaches originate in the supply chain and about 45% of all cyber breaches could be attributed to past business partners.
A classic example is the US Retail incident in 2013, where 40 million credit/debit card numbers and 70 million records of personal information were stolen. Investigations reported that the initial intrusion into the retailer’s systems was traced back to network credentials that were stolen from a third-party vendor. Another incident affected a major laptop/PC manufacturer in which some of its laptop were preloaded with malicious software that delivered ads to consumers. Worse scenarios involve governments questioning the security of products manufactured in other countries I can go on listing several other examples as issues like these show us how much organizations have neglected issues in their supply chains and blindly trust their suppliers. However, that is not the aim of this article, the summary so far is that the security of any organization is only as strong as that of the weakest member of its supply chain. My aim is to attempt to take a stab at how we got here and how we can start to think differently about the issues and possibly begin moving the needle in the right direction.
How did we get here?
Organizations can’t always control the security measures taken by supply chain partners
Globalization has dramatically changed the way organizations operate. A global organization may design its product in the US, source raw materials or parts from Japan, manufacture in China and sell to customers all over the world. Managing operations of this scale is clearly not an easy task. With customers changing demands, organizations are forced to become more agile, it is evident that value can no longer be created solely by rearranging labor and resources with an organization but by interactions with other parties to stay competitive. Organizations now outsource some portion of their operations to third parties to increase efficiency, lower cost and be more competitive. But it’s not all rosy, just as there are benefits, there are new risks associated with this changing business landscape. As organizations evolve their business models, traditional business boundaries become more blurred. The sad part is that cyber criminals are aware of these blurring boundaries and are using this opportunity to attack organizations that have been well-protected.
Current cyber security practices/programs is about knowing what to protect — identifying your keys assets and putting measures in place to protect them. It is about defining and maintaining boundaries. On a small scale, it can be protecting your home PC or laptop with endpoint solutions like antivirus, on a large scale, it can be protecting an organization’s network which would require more complex solutions that are detective, protective or corrective in a nature. It might even require a dedicated team of resources working 24x7. However, with blurring boundaries brought about by globalization, changing business models and increasing use of technology, one of the biggest changes in the current approach to cybersecurity must be figuring out what to protect. Organizations must imagine extended boundaries when moving from securing an organization in isolation to securing an organization that is integrated with other third parties. The assets/data owned by an organization not only sits within their premises but with other parties within their supply chain. Though, organizations may have security tools and protection in place but do the organization's suppliers, and their suppliers’ suppliers, and everyone in their supply chain have the same kind of protection they have? A determined cybercriminal does not have to target the main organization to access their data, the criminal could easily target any other organization within the supply chain that has access to the data.
One of the questions we can begin to ask is “How much control do organizations have over their suppliers?” Although some organizations are proactive by embedding security requirements in contracts with third parties, the quality of security provided by the third parties is not guaranteed. Considering that suppliers would be of varying sizes and varying budgets for security, it might be difficult to get consistent level of protection from everyone in the supply chain. Consider the case of a credit card company that outsources sending of letters to its customers a third party provider and printing plastic EMV cards to another third party provider. The small print company would have access to customers’ names and addresses while the plastic card company would have access to card related data. The plastic card company might meet security requirements, but it might be difficult to expect the same level of security from the small print shop.
Clearly, we can see that blurring boundaries changes the scope of what must be considered when planning the security of an organization, it increases the number of players that are involved, what security measures are selected, implemented and monitored across the supply chain.
Changing supply chain has led to use of more unproven technologies
Going with the same example mentioned earlier, for the organization to work efficiently with its suppliers in Japan or manufacturers in China, information needs to flow freely. Technology helps enable this free flow of information, technology helps facilitate this new ways of working among organizations within a supply chain. For this to be accomplished, the IT systems for the organizations within the supply chain must become integrated. For integration to happen, processes need to be digitized i.e. processes that used to be manual are now system driven. Each business process is gradually being updated to include more technology. The digitization of processes and increasing reliance on technology has speed up the way information is created and exchanged. We are in an era where the rate of data that is captured is almost limitless, insurance companies give out devices that track speed to determine risk rating of customers, eCommerce players now know more about their customers and can customize each users web page. Ask yourself, when was the last time you had to fill a paper form that didn’t have an electronic version. Every sector wants to become a technology company from FinTech, RegTech, HealthTech, InsurTech, LegalTech etc.
This rapid digitization and reliance on technology by organizations in a bid to stay competitive has ushered in an era of ubiquitous off-the-shelf solutions by third party vendors. Within Industries, when a competitor launches a technology solution and is successful in grabbing customers attention, other organizations within the industry switch to survival mode and quickly adopt same technology without fully understanding the issues associated with the new technology. An example is when organizations started moving their infrastructure to the cloud, organizations migrated without fully considering the security risks with the new technology. Hence, it was not surprising when massive amounts of data were exposed on the Internet.
Organizations need to understand how the use of new technologies increase the complexity of the cyber security problem and how it creates new interdependencies with their suppliers and customers.
Where do we go from here?
Supply chains are getting more complex than ever, so is the associated risks, but the good news is that existing tools to maintain quality and integrity within the supply chain are also relevant for cyber risks. Organizations concerned about cybersecurity risks within their supply chains should conduct deeper assessments of their current third-party relationships. Taking a cue from Airport operations, apart from the airlines, there are several other organizations like restaurants and book stores that conduct business at the airport. It would be unreasonable, to expect every organization at the airport to provide their own security. Hence, the airport makes sure everyone uses the same security. That might not be possible or scalable for all other industries, but we can learn from their approach. The airports have standards that must be met to operate a business. It knows all the businesses that operate within it, it ensures that each business has an inventory of it items, and employees undergo additional security checks to work at airport locations. All of this is geared towards better understanding its ecosystem. Likewise, the first step for organizations is to start with knowing all relationships that exist — both direct and indirect ones, there must be clear visibility into the supply chain.
Understanding the different partners, how they operate, and what information is being shared. This would help understand how simple or complex the relationships are before developing strategies to address security requirements at each level. A variety of tools already exist to help with this exercise, organizations just need to stretch themselves to find the right ones that would works for its own supply chain.