Introduction
When talking about supply chain management, we often focus on retail industry, automotive, oil, and food and beverage sector. Such industries deal with tangible products that are consumed on a daily basis, and they have invested heavily in their supply chain to protect their products from being tampered. Supply chain risks are not only experienced in manufacturing industries; they are experienced in the cybersecurity industry too. Cybersecurity network uses components from different manufacturers; some aspects of the network could have security flaws embedded in the software components (Wilkerson, n.d). The flaws can be hard to detect as they do not affect the normal functioning of the network. According to Kube (2015) most cybersecurity companies also use contract manufacturers; hence the question of whether their products are genuine or they contain malicious code. It is crucial to understand and manage supply chain well as it affects the operations of the cybersecurity industry. Understanding the cybersecurity supply chain makes it easy to identify risks and to develop effective strategies to mitigate the risks.
Supply Chain Risks
In the past few years, some organizations experienced cybersecurity breaches. Kennedy & LaMondia (2015) give the example of Target’s security breach in 2013 whereby the organization became a victim of successful phishing attack. The attackers gained entry through one of Target’s vendors, and HVAC Company. The attackers were able to collect personal and financial information of 110 million Target customers. The attack shows that there are many sources of cybersecurity risks.
Delegate your assignment to our experts and they will do the rest.
The first source is of cybersecurity risk is the use of many hardware subcontractors. The cybersecurity team procures the different hardware and software from various contractors. Wilkerson (n.d) gives the example of purchasing a laptop, the chip processor is procured from either Intel or AMD, yet Intel or AMD have other sub-contractors responsible for supplying them with components used to make the chip processor. By working with different contractors and sub-contractors, the supply chain is lengthened, and it exposes the organization to different risks.
According to Kube (2015), the lack of visibility into sourcing and tracking sensitive components in the supply chain exposes the organization to risks. The processes are not integrated, such that there are accountability gaps between the primary manufacturer and the many other suppliers. Failure to integrate processes makes it hard for the organization to protect critical operations and sensitive data.
Another source of supply chain risk is third-party software providers. According to CERT-UK Publication (2015), cyber-espionage is on the rise. Oil and pharmaceutical companies are being targeted by third-ware software manufacturers who want to take advantage of the loopholes in the supply chain. Creators of malicious software compromise the websites of software suppliers by replacing legitimate files with malware. The malicious software creators then ‘trojanise’ the legitimate files and find the way to the organization’s system as seen in Target’s case (Kennedy & La Mondi, 2015). The malware has remote access functionalities that can be used to control the systems once it has been installed. Unfortunately, compromised software is difficult to detect, and the target company will have no reason to suspect its trusted supplier unless it experiences severe problems with the system.
Another source of supply chain risk is legitimate website builders. Cyber-espionage groups look for loopholes by analyzing the activities of the organization’s website builders. Once they identify strategically essential elements and resources used by the website builders, they will find ways to penetrate the system. Cyber-espionage groups have targeted the e-banking system for years. Some organizations in the UK, Italy, and USA have reported disruptions with their e-banking software by the Shylock Banking Trojan (CERT-UK Publication, 2015). The creators of the Shylock banking Trojan managed to compromise legitimate websites by using a redirect script that sends the activities of an organization to the creators of Shylock.
Third party data stores are sources of risks. Many businesses now outsource their data storage to companies that offer storage services. The storage companies process and store the information on behalf of the clients. Some of the information stored is sensitive; it could be about the organization’s financial health and strategy. CERT-UK Publication (2015) gives an example of how cyber-espionage groups targeted firms dealing with high profile mergers in 2013 through the networks of data aggregators. They compromised the data aggregators by establishing a small botnet used to transfer information through encrypted channels.
Due Diligence
Given the many cybersecurity risks, organizations must put in place a comprehensive risk-management strategy starting with the supply chain. Organizations must take time to understand the supply chain risks and partner with trusted vendors only (Halpert, 2015). The organization should not trust the vendors because they have a good reputation because vendors are also often targeted by cyber-espionage group and malware creators. Additionally, the supply chain network is rapidly changing; vendors are now relying on sub-contractors to fulfill their orders. Organizations are also relying on third-party storage facilities to store and manage big data. Therefore, organizations should a rigorous risk management decision making regarding its vendors (Zych, 2013).
The organization should create a skilled cyberdefense team and even consult external experts to assess the different suppliers about the different risks they present and how they handle the risks. The cyber defense team will be responsible for the due diligence process; it will review all the suppliers by asking all the tough questions. Below is a list of 5 cybersecurity-related questions to ask suppliers during the due diligence process:
1) Do you conduct periodic cybersecurity risk reviews?
2) How are you managing your supply chain risk?
3) How do you respond to a breach?
4) Are you keeping up with the rapid changes in the cybersecurity technology and risks?
5) How will you help this organization deal with the supply chain risks it faces?
Best Practices for Managing Global Supply Chain Risks
As discussed above, the supply chain has much vulnerability that opens the organization’s system to a host of risks. Organizations or rather the cybersecurity industry should implement best practices to manage global supply chain risks. The different best practices can be applied simultaneously or individually depending on the information system.
The first best practice is to identify the elements of the supply chain, the processes, and the actors (Chabrow, 2012). Supply chain contains many actors and processes; it is only acceptable for the organization to identify and monitor all the actors and processes. The organization should have a visual representation of the supply chain to help it determine high-risk events and activities. Without reasonable visibility, the organization will not have an idea of the source of the risks, how to reduce the likelihood of occurrence, and how to manage the risk once it occurs.
Secondly, the organization can limit access and exposure to the supply chain. Cybersecurity industry requires hardware, firmware, and software, and in most cases, the three components come from different suppliers (Inserra & Bucci, 2014). Organizations should try as much as possible to limit access to the supply chain. The organization should partner with one supplier that can perform more than one function than many suppliers each serving only one purpose. It will be easy to monitor the supplier risks when only a few suppliers are part of the supply chain.
The organization or the cybersecurity team must share information with strict limits. Organizations often share critical information with their suppliers regarding specific elements of the supply chain to enable the suppliers to integrate their products. Organizations should have limits when sharing information; they should only share the necessary information and limit the number of people with access to the information. The organization should also hold accountable the partners it shares information with as the information should be protected as per the agreed-upon practices.
The cybersecurity team should perform supply-chain risk management training. With the increasing number of destructive cyber attacks through the supply chain, there is a need to train personnel on supply chain risks, policies, procedures, and controls. Supply chain training should be customized to meet the needs of an organization’s supply chain. Organizations with larger supply chains will have more training to do to ensure all the actors are aware of the supply chain risks, policies, and procedures. According to Chabrow (2012), some protocols can be used to conduct supply chain management training such as the NIST SP 800-50. The protocols help the cybersecurity team to create a comprehensive training program.
Lastly, the cybersecurity team should use defensive designs for the system and processes. When integrating the different aspects of the supply chain, it is crucial to use the defensive design to ensure that it is secure, safe and that all the risk management elements are in place. Before integrating any element to the supply chain, it must be tested and manufactured. The element will only be integrated fully if compliance with all the requirements and once it has been evaluated for vulnerabilities (Chabrow, 2012).
Summary and Conclusion
The cybersecurity industry is now facing more challenges than before. The attackers use the different vulnerabilities in the supply chain to access confidential information or to find their way into the system. Fortunately, as the risks grow, the opportunities also grow. There are many strategies, tools, and security standards to guide the cybersecurity industry. The most important strategy is to be aware of the different actors and processes in the supply chain. The cybersecurity industry can only defend itself from supply chain risks only when it aware of the many sources of risks. The sources of the risks include the partnership with many suppliers and sub-contractors, third-party software providers and third-party data storage. After analyzing the risks, the cybersecurity team must implement best practices to minimize the risks. Recent catastrophic data breaches like the one that led to the loss of extensive confidential information at Target shows that the cybersecurity industry cannot afford to be careless with supply chain risks.
References
CERT-UK. (2015). Cyber Security Risks in Supply Chain. Retrieved from: https://www.ncsc.gov.uk/guidance/cyber-security-risks-supply-chain
Chabrow, E. (2012). 10 Supply Chain Risk Management Best Practices. Bank Info Security. Retrieved from: http://www.bankinfosecurity.com/10-supply-chain-risk-management- best-practices-a-5288/op-1
Halpert, J. (2015). Effective cybersecurity: 8 questions for you and your team. DLA Piper. Retrieved from:
https://www.dlapiper.com/en/us/insights/publications/2015/03/ipt-news-q1- 2015/effective-cybersecurity-8-questions/
Inserra, D., & Bucci, S. P. (2014). Cyber Supply Chain Security: A Crucial Step Toward US Security, Prosperity, and Freedom in Cyberspace. The Heritage Foundation, Backgrounder , (2880), 8.
Kennedy, J. & La Mondia, P. (2015). Independent contractors, outsourcing providers and supply chain Vendors: the w eakest Link in cybersecurity? Wiggin & Dana . Retrieved from: http://www.wiggin.com/files/30783_cybersecurity-update-winter-2015.pdf
Kube, N. (2015). Cyber Security Risks in Industrial Supply Chains. Security Week . Retrieved from: http://www.securityweek.com/cyber-security-risks-industrial-supply-chains
Wilkerson, T. (n.d). Cybersecurity in the Supply Chain. United States Cyber Security Magazine. Retrieved from: http://www.lmi.org/(X(1)S(vh43e355d1g5bl45hwdnyxre))/CMSPages/getfile.aspx?node guid=adf22863-fca9-44ae-a93a-c20e21bae1e6&AspxAutoDetectCookieSupport=1
Zych, T. (2013). Cybersecurity: five lessons learned the hard way. Lexology. Retrieved from: https://www.lexology.com/library/detail.aspx?g=e0e6d83f-3783-457a-8ce5- cda2ed9f3dcd
