Mitigating Third Party Risk in Supply Chains

This post first appeared on Risk Management Magazine. Read the original article.

third party risk digital supply chain

As a complex web of manufacturers, business partners, suppliers and other third parties, the modern-day supply chain is no stranger to attacks. With cybercriminals constantly looking to steal critical data, the system continues to be fraught with risk. Like death and taxes, cyberattacks have become a near certainty in 2018, and as long as the opportunities continue to present themselves, attackers will not concede—there is data to steal, money to be made and, for the moment, fewer defenders.

This is especially true in the era of the digital supply chain ecosystem, an intricate system further complicated by globalization and a mounting surplus of data that must be shared in order to streamline processes.

A traditional supply chain usually revolves around the construction of a physical product from raw materials. The digital supply chain, on the other hand, is indebted almost entirely to a series of web-enabled components. These tools leverage next-generation networks like cloud infrastructure and can help organizations accommodate exponential data growth, boost efficiency and reduce costs.

The traditional supply chain model has evolved over the past several years, but perhaps no industry has experienced this more than the rapidly changing automotive sector. Just a few years ago, automotive companies only had to grapple with the demands of the supplier, the manufacturer and the distributor before handing a product over to the retailer. While this scenario relied on interconnected relationships, it was fairly straightforward: Tier-1 suppliers (makers of modules and systems for various vehicle platforms) and Tier-2 suppliers (suppliers of essentials like motors, metals and electronics) helped supply parts to original equipment manufacturers (OEM), where components were integrated into vehicles, then shipped to dealer networks.

Now, technology is more intertwined with the automotive industry than ever. In the digital supply chain era, many of those Tier-1 and Tier-2 suppliers have been forced to innovate and develop new technologies to keep pace with competitors. Today’s vehicles can be likened to computers on wheels, equipped with sensors that monitor airflow, oxygen, engine speed and fuel temperature. They are equipped with robust computer systems and technologies that specialize in navigation, engine efficiency and driver safety. That is to say nothing of the mechanics of autonomous vehicles and connected cars, which are complex, data-rich systems that come with their own set of supplier-OEM relationships and are a far cry from the traditional supply chains of yore.

All of this is driven by—and would be impossible without—the ability to securely share sensitive data, including valuable trade secrets, among supply chain partners.

One of the biggest catalysts behind the rise of the digital supply chain, the cloud, has changed the risk profile of organizations. By moving data to the cloud, companies have added complexities to their ecosystem, creating more ways data can be compromised, which translates into more risk.

At its crux, managing supply chain risk is a data problem. Data is the lifeblood of business—if a company does not have knowledge about where that information is going throughout the supply chain, it could jeopardize the company’s future, profits and brand.

Thus, over the past several years, policymakers, researchers and IT experts have underscored the importance of ensuring these relationships remain secure in the face of growing threats. This spring, in version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity, the National Institute of Standards and Technology (NIST) stressed organizations must better understand cyber supply chain risk management (SCRM) due to the complex and interconnected relationships inherent in the chain.

Earlier this year, the National Cyber Security Centre, a division of the U.K. government intelligence agency GCHQ, called supply chain attacks one of the biggest threats to U.K. businesses. Indeed, NTT Security’s 2018 Global Threat Intelligence Report, released in April, documented a significant spike in attacks targeting the supply chain last year.

The most expensive incidents involving the supply chain stem from third-party risk. A recent survey conducted by Kaspersky Lab polled organizations on their IT security spending in 2017 and found that targeted attacks cost them $1.11 million; incidents affecting IT infrastructure hosted by a third-party cost $1.09 million; incidents involving non-computing connected devices cost $993,000; incidents impacting third-party cloud services cost $942,000; and data leaks from internal systems cost $909,000.

Perhaps the most infamous supply chain attack this decade, Target’s massive data breach in 2013 ultimately cost the company $290 million. In that hack, attackers broke into the retailer’s network after stealing credentials from a refrigeration/HVAC company that worked at several of the company’s locations. From there, the attackers gained access to a customer service database, installed malware, and made off with data from 41 million of the company’s customer payment card accounts.

IT administrators can restrict what a user can do and what files they can access through control policies or through Group Policy Object (GPO) management, but those solutions can leave gaps when they are misconfigured. Often, they are too broad, which can also open the door to risk, even more so if it is a corporation that parses gigabytes of intellectual property or that is involved in critical infrastructure, like oil, gas or energy.

Ultimately, one of the best ways to mitigate risk in supply chains is by ensuring data is properly controlled and monitored when organizations work with third parties. When a manufacturing company needs to have a product assembled, it will outsource the task and send data like drawings, intellectual property or a BOM (bill of materials) to the manufacturer. As is to be expected, the data is highly technical, potentially pertaining to anything from circuit boards to turbines to energy storage technology. More often than not, the manufacturer assembles products for several vendors, and the company will not want to run the risk of their proprietary data getting into the hands of competitors.

When an organization has to outsource the manufacturing of products to China, it is legally required to ensure none of that data is exfiltrated in the process. To do so, companies must comply with the International Traffic in Arms Regulations (ITAR), a set of U.S. regulations on the export of military technology meant to ensure defense-related technology does not get into the wrong hands. Complying with the labyrinthine regulation can be confusing and violations can be costly and damaging for companies, but solutions exist that can help organizations classify data, control what data can be accessed, and who can access it.

While the supply chain can complicate how data is shared, it does not have to make it impossible. In order to control its data, a company needs to have visibility into it before it can mitigate risk. Visibility should be a building block when it comes to establishing risk, especially in supply chain scenarios. Companies too often make assumptions about their data, especially when it comes to what is and is not leaving their systems.

An organization must understand where its data is going in a supply chain scenario, both from a top-down perspective, by looking at data egress across the company (such as how much is going to webmail, file shares or removable devices) and from a bottom-up perspective, by looking at activity over the course of a given period of time.

After an organization has visualized its data, it can easily classify the data to identify what is important, what is going where, and get a better idea of how to manage its risk. For example, simply prompting users before they send an email to an address outside of the organization or containing sensitive personally identifiable information (PII) can go a long way in helping CISOs assess and mitigate the third party data security risk that occurs when sensitive data leaves the organization. It is only by identifying what is valuable to an organization that companies can begin to overcome these challenges throughout the supply chain.

Leave a Reply

Your email address will not be published. Required fields are marked *