The supply chain is the network of partners, vendors who deal with your product, from its inception as mere materials to its distribution after it is a final product. This definition holds for products in all industry segments, retail, package delivery, healthcare, hardware, and software products alike. In software industries, the kind of supply chain vendors differ, but the ideology remains the same. They either help build your product or distribute and resell it—or both.
Along with the helpful team effort philosophy which the supply chain network promotes, there are two sides to this coin as well.
The collaborative nature of the supply chain implies your offerings are available for them as well. All your data, product information, and the product itself are open to them as well. The degree of availability might differ, but it essentially means that they can be a vector through which bad actors can hack and eventually reach you.
According to a study by Opus and Ponemon Institute, 59% of the companies have experienced data breaches due to their supply chain vendors. More than half is not a number that you should take lightly.
Securing your supply chain network is as essential as securing yourself
You might have an army of solutions up and running to brace yourself against hackers. But it all means nothing if your hackers get access to you through your supply chain vendors.
There is a popular saying by Stanislaw Jerzy Lec – “The weakest link in a chain is the strongest because it can break it.”
This quote aptly describes the relationship of an organization with the supply chain vendors. Irrespective of how many firewalls you have, or how many access controls you have established within your organization, a loophole in your supply chain vendor’s system can expose you like you have never even had a firewall in place!
The blame of this predicament, unwittingly, falls on the Chief Information Security Officer (CISO). The CISO cannot possibly keep track of every vendor and their vendor network. Such superhuman capabilities will not lie within them, obviously. But, the CISO is the one who takes the fall, your organization is the one who will get the blame, and eventually, your business reputation takes a toll.
The news of a data breach in your organization, as we all know, can have devastating repercussions on businesses. The damage to the trust in your brand itself can put you out of business, and the operational cost to recover from a breach can shut down all your functions.
The reasons for this are several. Your smaller vendors may not be equipped to secure themselves from hackers. The larger vendors will have their complications, even if they have a security solution in place. And sometimes just the code from a third-party can leave you exposed.
Let’s understand the ways third-party associations can expose you:
- Delivery of malware to your code
79% of the codebase in an application is from third-party software libraries. What does this tell us? A large part of the software application code is not your custom code, and thus, the majority of it is from volunteers who have provided these chunks of code. Often, these libraries are not vetted; they are not tested for vulnerabilities. This means you have a trust factor with the supply chain, and hackers violate that by injecting malware. When applications roll out updates, if the internet server platform is compromised, then the hacker quickly gets the user to download the now, hacker replaced update.
The recent data breach of CCleaner occurred similarly. The hacker replaced the original software with a malicious one, and that was it—2.3 million users were affected. - Too small a vendor
Your vendor might be a smaller organization who themselves aren’t well-equipped to handle a data breach. They may not have the resources to acquire solutions to protect themselves from hackers. You might negate the fact that bad actors can get you through these smaller vendors because of their size, not knowing they are, in fact, easier targets. - Third-party vendors, who?
A recent study revealed that 11% of the organizations don’t even know who their third-party vendors are, and among those of them who do know, 32% don’t evaluate them. This carelessness is a welcome to the hackers when you sign up with parties you aren’t even familiar with. And for the hackers, due to social media, and little research, it is easy to guess who your vendors are. So when they make more of an effort to get to know them more than you, then you surely don’t stand a chance in securing yourself. - A patchy work
Thirty-eight days is the average time taken to patch a vulnerability, according to a report. A vulnerability is detected; the vendors release a patch to the ones who have bought the software. The companies now have to test it and ensure if this patch is going to cause any more problems. After evaluating this, the patch is applied. Yet, in European organizations, 34% of data breaches were a result of unpatched vulnerability, according to a study. Now, 38 days is an ample amount of time for a hacker to take action, isn’t it? - Corporate espionage
Whether it is your employee or your vendor’s employee, anyone who has access to your shared data holds the power to violate it unless supervised appropriately. All the more concern lies with the employees who leave the company and yet retain access to your data. Even if you have access controls in place, your vendor may lack them. This applies to your vendors as well, they might find loopholes in your SLAs, and under cover of lack of security controls defined, they can take advantage of it. - The IoT issue
The Internet of Things has undoubtedly connected systems and people well. But it connects opportunities for hackers as well, if not monitored correctly. There is a vast array of devices that are under IoT, and these can all be vulnerable to threats—especially with the advent of this data being in cloud. For example, the sensors in these devices can be hacked and tampered with, giving access to the wrong people. - The question of cloud security
Cloud has rapidly advanced, and the debate over its security has too. When it comes to the storage of hardware, there are several lockers to get through and possibly manpower to guard it also. This amount of care should be taken in cloud as well. If not, then your data is easily accessible for hackers with your servers in the cloud.
Fret not, help your supply chain help you
- Knowledge is power!
Training your employees, vendors, partners, and other stakeholders is as essential as understanding the risks yourself. You never know through whom your hacker decides to hamper with you. The only thing necessary is trust. A phishing email is all it sometimes takes to get hold of your data. Ninety-five percent of all security incidents involve human error, according to the Cyber Security Intelligence Index report by IBM. Thus, you must train every employee with the power to cause a data breach. Cybersecurity best practices sessions must be carried out now and then. Simple things like disposing of important documents, and not writing down important information on paper can make or break your security. - Agree well on your agreement
An adequately defined Service Level Agreement (SLA) can never go unnoticed. Your contract with vendors and any other third-parties must be defined in a way to strike the seriousness of security within them. This enables them to take their safety strictly, in turn, protecting you. It also allows accountability when there is a security action to be taken. The controls by which you will measure their security, testing, scanning, data handling must all be defined well. In case they fail to measure up to it, they can reconsider where they lack and rectify it. - Run a thorough audit, and audit again
If you don’t know your third-parties well yet, then the time is now. Audit your vendors and understand the risks that lie with your relationships with them. Audit the vendors, with whom your vendors deal. This ensures you have vetted your vendors well. Establish risk controls for all your third-party vendors, and ensure they all adhere to them. If the risk score tends to be more, sit down with the concerned party and figure out a way to maximize their security. This amount of effort might seem time-consuming, but it will save you at the end of the day. - Segment your assets
It isn’t enough to put up a security layer over your entire solution. Your assets must be micro-segmented. For example, your customer data, financial data must be well separated architecturally. This is one way to keep your hacker at bay. You never know what your hacker is after, whether they are your financial records or customer information, you can send them on goose chase while your systems realize you are under threat. - Test your code
When you imbibe the library code into your system, it becomes one with yours. The distinction no more exists. Thus, you must use these codes to a minimum and test them well before using any of them. - Get an outside perspective
You can run a thorough risk assessment even if you don’t have the bandwidth to carry it out yourself. There are various organizations that run an external risk assessment for you, on your vendors. They examine how vulnerable they are to attacks. You can include this in your audit for your current list of vendors or even before you sign someone to be your vendor. - Identity Management solution, for all
Identity and access management is among the most robust defense against cybercrime. It covers internal issues as well as external issues at bay. You can firstly safeguard your internal identities with single sign-on, password management, and appropriate governance and administration tools. This is the inside-out method wherein your internal identities are protected. But, you might wonder what about your third-party? You can protect them too using the outside-in IAM model. Everyone who falls under your corporate ecosystem can be protected. Their identities are kept in check and monitored continuously using this. IAM primarily starts with a directory. With an IAM solution like that of Cross Identity’, you can combine all the directories under one. If they don’t have a directory, Cross Identity’ directory can be used to imbibe them into your system. From there on, by defining policies for governance and compliance, your network of third-party can be streamlined.
Your long chain of supply, vendors, and partners might seem cumbersome to manage. The idea of securing vendors and their vendors can be an overwhelming and tedious task. But, with intelligent solutions, awareness, and investing in the right solutions, it can be as simplified as you want.
These chains need not tangle you and bring shackles to you anymore. They can unify your solutions and take your business far and wide like they are supposed to.
