From the June 2020 print edition
Whenever the topic of cybersecurity gets raised regarding supply chains, an article by Garry Hawkings immediately comes to mind. The article (entitled When it comes to security in the digital age, you have to play the man, not the puck) is applicable to identifying your supply chain’s weakest security link.
Besides being a hockey fan, what does Hawkings mean when he talks about playing the man instead of the puck? In referencing another cybersecurity thought leader, Richard Stiennon, Hawkings notes the organizations that are “the most vulnerable” as those whose sole focus is trying to determine what data should be “protected” versus identifying “the actors” interested in stealing it. Organizations must protect themselves against the “who” and not just the “what.”
First, let’s understand the nature of our supply chains’ risk. According to an August 2019 paper from the Canadian Global Affairs Institute (CGAI), of the 1,300 IT security professionals that participated in a survey on “the risks and impacts of software supply chain attacks,” 66 per cent reported that their organization had “experienced a software supply chain incident in the last 12 months.”
As much as the frequency and cost of such invasions, it is the “increasing exploitation of trusted relationships” between an organization and its outsourced providers that is most disconcerting. While the paper talks specifically about software providers who are smaller companies with weaker cybersecurity practices, it is clear that these vulnerabilities potentially exist with all suppliers. In short, the level of security in your supply chain is only as strong as its weakest link.
A friendly intrusion
Even though it is a reasonable bet that an unwanted intrusion is usually the work of malevolent unknown individuals, it is not always the case. Consider this example from Richard Pennington, public procurement author and teacher at the National Institute of Governmental Purchasing. As Pennington tells it, after two employees who met and spent time at a conference went their separate ways, one of them discovered that his new acquaintance had inadvertently left his flash drive in the conference room. The flash drive had highly confidential information on it, including trade secrets.
Given the nature of the data, there was urgency to get it back. Unfortunately, and because they lived in separate cities, mailing would not suffice. So they posted it on an unsecured webpage so the owner could download the files. This could have been a catastrophic compromise of trade secret information. There was a happy ending in that an investigation revealed a breach of information by way of unknown “visits” to the webpage did not happen. It could easily have gone the other way.
Besides answering how a security breach can happen, the above story identifies the potential “who.” It was a well-meaning employee making an honest mistake.
Having been in the security industry for many years, Hawkings emphasizes that even the “best protective measures be it with people or technology, will not protect you unless you understand the makeup of your security ecosystem.” According to Hawkings, it consists of the people, the environment and the technology, including the external, industry-specific actors who are likely to pose the greatest threat.
“Building out” from the above model, a supply chain ecosystem is a network of organizations, people, activities, information and resources involved in the movement of products or services from suppliers to customers. As supply chains become more global and extended, the potential breach points will also increase. Being able to identify said breaches is critical to securing your network proactively.
The weakest link
A July 2019 Supply Chain Digital article reported that 56 per cent of organizations reported a breach “caused by one of their third-party vendors.” At the heart of the problem is the fact that 32 per cent of buying organizations do not know where all of their third-party suppliers store data. Of those, 25 per cent believed suppliers would take appropriate measures to protect against or respond to an attack.
Based on the above, organizations need to take the lead in assessing said vulnerabilities including doing proactive security auditing to “understand what data suppliers hold on file, where it is stored and who has access to it.”
Even though buying organizations can limit their risk exposure, many don’t take appropriate measures to do so. Following a panel discussion on supply chain risk for which I was a moderator, I spoke with Global Risk Management Solutions’ Gerard Smith.
During our talk, Smith informed me that organizations would spend more time on researching and assessing potential new employee hires than they would on assessing supplier risk. While he was talking in the broadest terms, it is reasonable to include security auditing – or the lack thereof in his statement.
So why do organizations fail to invest the necessary time and effort into verifying the security policies and practices of suppliers?
As with addressing problems regarding the lack of clean data for analytics, most procurement organizations don’t have the time nor resources to invest in auditing their suppliers’ security practices. It is a question of living with the consequences of an unknown risk and managing limited resources.
With increasing demands on strained supply chains due to the pandemic, procurement departments are already overextended. Not only does this limit the ability to respond to existing risks, it prevents organizations from identifying and responding to new ones as well. It is a no-win scenario that organizations must address sooner rather than later.