The evolution of supply-chain networks over the years has largely been driven by technology. Organizations of all sizes are moving to the digital space, some compelled by the disruptions in the last year. While businesses build cybersecurity fortresses for themselves, there are several vulnerabilities at touchpoints with manufacturers, suppliers, global partners and other service providers to consider. Threats are lurking around such parties, waiting to breach security at the first chance.
Cybersecurity has matured to a certain extent for larger enterprises, although focused within the perimeter of the organization. There exists a lack of governance and control over individual departments dealing with other entities in the ecosystem, many of which are smaller businesses that are low on their cybersecurity strength. These are favorable entry points for hackers.
With the advent of disruptive technologies such as driverless vehicles, robotic process automation, and end-to-end digitization, the cybersecurity boundaries between organizations are getting blurrier. About 80% of reported breaches occur in supply-chain networks. Wherever your organization appears in the supply chain, if you’re connected, you’re at risk.
Supply-chain threats include denial of service, data leaks, customer data thefts, disruption of business, and other malware attacks such as ransomware. As it goes, the supply chain is as strong as its weakest link.
Approaching cybersecurity in the supply-chain network should be seen through three lenses: technology, people and process.
The entire supply chain needs to be included in cybersecurity protection, mitigation, and response plans. Response and recovery should not be limited to internal technology setups.
The adoption of cloud technology, internet of things (IoT) devices and virtual servers opens up new vistas for breaches. Ensure proper cybersecurity procedures such as two-factor authentications and biometric access control across all internal as well as third-party systems. Risk mitigation and recovery plans must be documented as a standard process.
Using open-source software could be a source of threats, and adequate monitoring must be planned for these setups.
Blockchain technology is an emerging trend which has the potential to enhance transparency and efficiency, along with a high level of data-security across multiple trading partners. It can enable better visibility of product, data and financial flows throughout the supply chain. It is largely adopted by businesses with complex operations and its real impact is yet to be seen. Experts believe that organizations at the very least should evaluate the viability and potential benefits of blockchain.
All employees and trading partners should be included in the security framework. Clear roles and responsibilities for all personnel and third-party entities in protection, detection, and response and recovery measures are essential.
Bring-your-own device (BYOD) policies are a major source of malware and phishing in the supply chain, and need to be a key focus. No personnel-owned device should be allowed to connect to the corporate infrastructure without channeling them through a virtual private network (VPN).
Establish processes for due diligence of the cybersecurity posture before onboarding any new entity in your ecosystem. Regular monitoring to ensure compliance of processes by all entities is essential to ensuring the capability of the recovery and response plan.
Threat intelligence dissemination is another factor that can make a huge difference to the overall cybersecurity process, but has yet to mature as a standard practice.
Establish processes to remove access for third parties after the contract is completed, as this has been an expensive mistake for many businesses.
Companies need to implement corporate-wide data-access guidelines and standards, especially when sensitive data is being shared across organizations.
Monthly server and network audits help keep a good trail of all special and admin access.
Following are some key guidelines to keep in mind as you develop a security plan for the entire network of trading partners.
- It won’t work if it isn’t a collaborative effort. You need to encourage and educate smaller businesses that you work with on cybersecurity threats. SMBs in turn can seek support from their larger partners.
- Supply-chain experts promote the idea of assuming that a breach is going to occur sooner or later, so having a cyber resilience plan is a must-have today.
- There still doesn’t exist a broad framework that would support all sizes of businesses when it comes to supply-chain cybersecurity management. However, suppliers and other parties can carry out independent and standardized verification initiatives.
- Penetration testing can eliminate known and potential vulnerabilities.
- A central team or manager should be established that regularly monitors the cybersecurity setup for the entire supply chain, to prevent “silos” of unmanaged network.
- Companies should consider the use of artificial intelligence to detect threats and breaches more proactively, and activate response systems in time.
Vijaya Rao is founder and CEO of TechVio, an I.T. services firm.