It’s a rare day if you don’t see a headline about a data breach or ransomware crippling a business or the supply chain. Websites are defaced, personal and financial information stolen, and even medical information is at risk for theft and improper sharing. Software once thought secure is now at risk more than ever as malicious insiders and state sponsored hacking have taken the forefront of electronic espionage and harmful data dumps. It’s become so prevalent the US government is working with Microsoft and Google to secure free software. To secure financial and confidential contract information, the US government is also enacting new standards that will cost federal suppliers and their secondary suppliers millions of dollars to implement.
The threats are that bad and are getting worse. In 2020, the number of reported spam phishing attacks was at 1.5 million. In 2021, there were over 10 million, a +573% growth, and this number is expected to increase. It’s no wonder that cybersecurity personnel are in such high demand. So much so that colleges and universities are tailoring their cybersecurity degree curriculums to simulate the latest security threats. Using virtual labs, those training to be on the front line in infrastructure security are able to get real world experience. This focus on training is clearly working as the field is expected to grow more than 30% in the next decade. For companies who work in the supply chain this increase can’t come soon enough.
Why Invest in Supply Chain Cybersecurity?
Investing in good cybersecurity practices prevents headaches down the line and is great for customer confidence, but knowing what to safeguard is a must. Focusing on supply chain security lessens the possibility of external attacks through supplier portals, supplier fraud, and data leaks. If you have employees that work from home, chances are their home network is not as secure as your commercial one. Electronic criminals have increasingly targeted home office workers since the pandemic because of the lighter consumer security used. With social engineering and phishing attacks on the rise, cybersecurity education is a solid investment, especially if they are contingent workers. Supplier fraud, or vendor fraud, is another risk a cybersecurity program mitigates. If supplier gateways aren’t secure, or if the supplier has weak cybersecurity practices, your company risks being attacked through the connection to the supplier’s systems. Once a malicious actor has access to your systems, your data is at risk if file protections and access control are not a priority.
How to prioritize cybersecurity in supply chain operations
So, how do you implement supply chain security? A major program of your information security plan should be training and education. Implement phishing tests for your employees that evaluate their ability to recognize suspicious emails and social engineering calls. Your employees are your first line of defense against these types of threats, invest in them. Make sure insider threat is a part of this training and give examples of malicious behavior. Conduct background checks on employees that have access to sensitive or proprietary information, and make sure that they only have access to the information they need to do their jobs. Access control is central to good cybersecurity hygiene; if employees don’t have a business reason to access information, they shouldn’t be able to get to it. VPNs and end to end encryption will provide an added layer of security for those working remotely. Add two factor authentication to that to harden your systems even more.
Prioritize supply chain security holes
Another thing you need to know is where the holes are in your security fabric: where are the vulnerabilities and what is affected? In our article on using a software bill of materials, we outline a way of finding vulnerabilities and automating the search in your deployed devices. Third party vendors may not be timely in their notifications of vulnerabilities, and this is one way to mitigate that threat. Keep suppliers sequestered to only the data they need to conduct business. Suppliers should never have access to your internal data, and if they can’t get to it, they can’t leak it.
In today’s digital centric society the supply chain needs to be a top cybersecurity priority. To not do so will cause mass disruption to companies and their customers.
Submitted by Danielle Gregory for vigilant-ops.com