Best Practices in Cyber Supply Chain Risk Management

Cybersecurity – your supply chain depends on it. Everyday a new cyberattack is reported – the when, where, what, and how of the breach hitting a little too close to home.

As a responsible supply chain owner, you appreciate the immensity of the threat posed by a potential breach – just last week your main competitor fell victim to an attack that nearly crippled their production capacity. Now you fear these attackers, be they a lone wolf or an entire collective, might set their sights on your most valued data stores. You wonder if the system you have in place currently is as ironclad and astute as you’ve imagined it to be.  Your doubts are not unfounded.

When it comes to cybersecurity, the system in which you’ve entrusted your company’s safety is only as strong as its architects are foresighted. And yet, all of the foresight in the world, can’t anticipate the unknown. Cybersecurity is not, fundamentally, just a matter of prevention. Recovery, mitigation, and readiness are watchwords instrumental to the effectiveness of your cybersecurity system. 

The question is not “Will it happen?” but “What will you do WHEN it happens?”. 

A good cybersecurity system should account for the latter question. Remember, no firewall can claim to be categorically unbreachable. If anything your defenses are first a deterrent and second a viable bulwark against cybercriminals. Good risk management, as outlined in previous articles here on Patrick Rigoni’s blog, requires a plan of action oriented towards reducing the attack power of the hacker. What sort of mechanisms must you have in place to deprive a bad actor of the ability to fully exploit the information they have stolen? How can management decisions be rethought to factor in such inevitabilities? 

The quality of your technology is not always to blame for a breach. Human error can lead to even more potential damage to cybersecurity than faulty technology. Clear continuity starting from the alpha and ending at the omega of your supply chain is an integral characteristic of strong cybersecurity. The extension of this continuity will be contingent on the best practices of your employees.

On a related note, your physical security should not be understood as substantially different from your cybersecurity. Many incidents have been reported of cybercriminals carrying out breaches by exploiting gaps in physical security. In reality, cyber- and physical security are two sides of the same coin.

Cybersecurity risks come in various forms ranging from third-party vendors, compromised software and hardware, security vulnerabilities, and third party data storage and data aggregators. Your company is not immune to any of these threats, many of which are interpenetrating and involve reliance on untrustworthy suppliers. Due to the symbiotic relationship between small businesses and larger supply chains, it is often the case that malicious actors will infiltrate the chain through the conduit of the smaller third party vendor which, more than likely, is not as financially or operationally well-resourced as their larger counterpart.  Remaining aware of the stature, capacities, and practices of your supplier is a good approach to avoiding such breaches.

How can you know your supplier is worthy of your business?

What variables must you consider when assessing the quality of a supplier’s product? The integrity of your supply chain is the direct result of the information you digest. Staying au courant with emerging cybercrime trends is a duty that should apply as firmly to your vendors as it does to your workforce. 

Some questions to ask yourself: Does your vendor strive to ensure that the production process of their goods is consistently adjusted in light of the ever-changing “threat landscape”? How transparent are their manufacturing processes and are these processes researchable? Is there enough consonance between your security practices and the security practices of your vendors?

The key to answering these questions is grasping the kind of mission and values pertaining to your supplier. Most reassuring is the knowledge that your supplier adheres to your company’s same general principles when it comes to their cybersecurity hygiene. For instance, such a philosophy might involve the processing of frequent employee background checks in an effort to guarantee the same sort of transparency underlying the smooth functioning of your supply chain. A good supplier appreciates the alarming likelihood of the sudden occurrence of a cyberattack and works to get their personnel on the same page security-wise. 

Another question you should ask yourself is how your supplier treats data? What sort of policies are active within their organization related to the protection of personal and company data? How might a lax attitude towards the handling of this data redound negatively upon the functioning of your supply chain? The running theme of mission and values weighs as heavily on these questions as does the question of transparency. 

The quality of your distribution process is proportionate to the quality of your products. Getting a sense of how your supplier’s distribution process is structured will help you to understand if potential cracks in their armor might present an attractive channel for bad actors aiming to invade your supply chain. How much does your supplier care about quality assurance? How does quality assurance determine the structure of their distribution process? 

As mentioned, mitigation is one of the chief components of any sound cybersecurity strategy. Does your supplier understand the frequency of cyberattacks and the impossibility of obtaining full protection from them? Do they have a mitigation plan in place for the eventuality of a data breach? 

Building off of these considerations, you should also ask yourself to what extent your supplier seems at all conscientious about their involvement with your supply chain. A good sign would be that they are as equally ready to ask these questions in regards to your operations as you are to evaluate their merits. A responsible supplier wants to know that their product is being used correctly and that their involvement with your business does not leave them exposed to cybersecurity threats. A mutual sentiment of trust and a shared cybersecurity philosophy, therefore, go hand in hand.

Having surveyed the threat landscape, now you should turn your thoughts towards the implementation of best practices. As stated, absolute prevention is not the end-all-be-all of a good cybersecurity system. Prudent supervision of your valuable data and assets involves calculating the potential impact of a security breach and assessing your response-agility. Consistency and continuity are vital. You want to ensure that your security needs are specified in every RFP and contract issued by your company. Too often the information in this regard can be vague and underdeveloped. Security requirements should be well-defined, easy to understand, and wide-ranging. A solid contract will explain, in detail, the breadth and depth of cybersecurity expectations. 

At this point, it’s been strongly established that the success of the relationship fostered between a supply chain and its vendor hinges on transparency. With the assimilation of the supplier into the chain comes crucial security concerns. A security team should, therefore, be deployed to work on-site with the supplier with an eye towards ameliorating security flaws. Again, trust is essential. Products as well as service must be reliable. A responsible business owner should have a “zero tolerance” policy when it comes to counterfeit software/hardware or questionable service which puts your organization at risk. 

As one might imagine, it’s not always possible to rely solely on the same few vendors. Inevitably, your supply chain will need to make purchases from unfamiliar vendors. In such cases, it is important that firm control is maintained over every phase of the purchase and that the items are inspected and x-rayed before acceptance.

What is a SDLC?

Highly secure supply chain businesses are aware of the usefulness of a Secure Software Lifecycle Development Program. What is a SDLC? SDLC is a methodology framework geared towards helping system engineers create high-quality software. The aim of this program is to resourcefully generate quality software at the lowest prices available. The plan starts with a software analysis – one that looks for conspicuous defects in the system and then remediates these defects through a targeted plan backed by quality assurance standards. The design and build phases of the plan are ultimately complemented by a code test which checks for any potentially overlooked flaws. The last step is a deployment process which allows stakeholders to experiment with the product before its ultimate release. The great advantage of an SDLC consists in its ability to maximize time and cost without sacrificing quality. 

Though we now forgo handshakes due to pandemic protocol, a different sort of handshaking protocol is still going strong inside the world of cybersecurity. An indispensable best practice is that of “security handshaking”, a method of facilitating data transmission through controlled processes. The object is for the two devices exchanging data to acknowledge one another is a safe and secure way. The significance of this manner of communication is that its structure is set by the devices themselves without the need for human involvement. Not every single aspect of a system’s functioning can be monitored by human eyes and it is imperative, therefore, for any supply chain that it abides by best practices in security protocol when dealing with a security situation that lacks a human presence. 

Take a look at any manufactured item at hand and reflect on the countless steps that went into its production. Many different groups of individuals are concatenated for the sake of assembling, testing, and delivering the parts you use to make your supply chain work. Very often the gaps in our knowledge of this production process lead to lapses in judgement. A savvy supply chain owner might believe that his understanding of the production process covers the process from beginning to the end, but thoroughgoing omniscience in this respect is rarely attainable. More than likely, you are presently unaware of several teams of people entrusted with the production of vital components of the hardware and software you use everyday. Ask yourself at what juncture of the A – Z of production is your ignorance most pronounced. The important thing is to make sure that your personnel are filling in these gaps and acquainting themselves with these unknown teams of developers, engineers, factory workers, or whomever else and can vouch for the quality of their security and operating standards.

Transparency, as has been concluded, is important, but that’s not to say every dealing with a vendor involves absolute openness. Software access should only be available to the most trusted of vendors and even in regard to a scenario in which a trusted vendor is given access to your most valued data, not all of it should be available to be viewed. The vetting process that goes establishing trust between supply chain and vendor should be creative on a strong basis of confidence and confidentiality. However solid this foundation may appear, it will need to be cemented and uncemented over time through further authorization checks. 

Legacy support is also one of the vertebrae forming the best practices backbone of cybersecurity. End-of-life products should not be simply discarded carelessly. With legacy support, you’ll be able to responsibly phase out end-of-life technology in a manner that ensures that the data contained thereof is not left to prey to cyberattackers. The IPs and other addresses associated with these devices might need to be continued in their supply. Therefore, it is important that you practice good habits when retiring old technology. It’s important that you ask yourself which parts of these retired items might need to be retained. How will withdrawing these products from your supply chain affect the entire ecosystem of the supply chain?

To conclude, cybersecurity represents a delicate question, one that sits at the very heart of good business practices. In the interests of time management and quality standards, you should continue to self-educate about the latest developments in cybersecurity technology. The correct disposition to maintain towards cybersecurity requires you view these latest developments not as steps towards the invention of a panacea but always as iterations of time-limited palliatives. Every new layer of security applied to an already seemingly secure system only corresponds to newer opportunities for hackers to carry out a tactical data breach. 

If necessity is the mother of invention in regards to developing secure technology then recovery is the mother of prevention in regards to utilization of that technology. If you follow the advice in this article, you’ll be able to put your mind at ease with the knowledge that your response readiness is at its highest when the inescapable makes itself known. Paying as close attention to matters of security is, then, coequal to the attention you devote to the supply chain itself — in essence, matters of profit, mission, and values.

Want to know more on how to manage  your supply chain business? Book a free consultation with Patrick Rigoni today!