Digital attackers have many different strategies for infiltrating a target organization. That even goes for companies with robust perimeter defenses. Bad actors simply need to find a soft target they can exploit. Oftentimes, they find what they're looking for along a target's supply chain.
We can best understand the supply chain as a network of people, processes, and technologies that support an organization's operability. Most elements of a company's supply chain pose their own unique digital security risks.
For instance, an enterprise that relies on an IT solutions developer needs to know that the technologies it deploys on its network doesn't come with firmware vulnerabilities susceptible to remote exploitation. Businesses need to also make sure it can trust all contractors (Snowden comes to mind.) and service providers (We all remember what happened with Target's HVAC provider in 2013
.) that have access to the network.
It's in every organization's interest to secure their supply chains against bad actors. Recognizing this need, Microsoft held a webinar
on managing supply chain risk in March 2017. Here are four best practices gleaned from Microsoft's presentation that companies can use to strengthen the security of their supply chains.
1. Vet Suppliers, Service Providers, and Products
One of the most important elements to supply chain security is vetting on three separate levels. First, companies should make sure suppliers vet their own personnel, especially for positions where employees have access to data, systems, and facilities of their customers. Second, organizations need to vet any service provider--from janitors to HVAC personnel--that might require access to company information. Third, enterprises must vet all products they intend to integrate into their IT environment. Organizations of every size can consider using third-party services that map supplier risk management data to meet these demands.
2. Use Security Controls and Contractual Penalties
Vetting is only the first step when it comes to supply chain security. After completing the vetting process, organizations should trust but verify via the use of regular security audits. Enterprises can then couple these reviews with key security controls, such as segregation of roles and privileged access, as well as contractual penalties for suppliers or service providers that fail to meet the requirements specified in their vendor agreements.
3. Diversify Your Company's Providers
Just as every organization adheres to a different business model, every company maintains different security policies and standards. Such variability works in the interest of an organization's efforts to secure its supply chain. Indeed, companies should never have single points of failure (just one provider) along their supply chain. For the sake of resiliency, businesses would do better to diversify their providers. But only to a certain extent. After all, complexity oftentimes proves to be the enemy of security.
4. Partner with Industry and Government
Organizations can take their supply chain's security to the next level by partnering with industry and governments. They can leverage these partnerships in several key ways. On the one hand, they can help fuel the call for industry actors to share digital threat intelligence
with participating companies. On the other hand, they can work with government entities to create a set of standards that apply to securing the digital supply chain.
Supply Chain Security as a Process
Vetting, security controls, diversification, and partnerships with industry and government actors are all ways by which organizations can strengthen the security of their supply chains. But like most IT strategies, securing suppliers is an ongoing effort. Companies should therefore review their supply chain security policies on an ongoing basis and consider new defense strategies to meet their ever-evolving needs.
To learn more about supply chain security, please view Microsoft's webinar here