As companies and organizations evaluate their attack surface, they know to look at their own systems and infrastructure to defend against threats and manage vulnerabilities. However, what about their critical partners and the supply chain? With up to 80% of cyber-attacks now beginning in the supply chain, breaches at even the smallest vendors can have big consequences for enterprise level operations. The problem of supply chain cybersecurity has become so pressing that the United States Department of Defense is rolling out the Cybersecurity Maturity Model Certification (CMMC) as a means to help secure the defense industry. Prime contractors and subcontractors will have to achieve CMMC compliance to do business as part of a DoD contract. The Primes are also expected to take a greater responsibility to ensure that subcontractors are implementing the appropriate security practices and compliance with the DoD standard.
One problem in securing the supply chain is where the organizational responsibility lies. Many different departments of an enterprise work with the supply chain and other critical partners, but there’s no one person or team held accountable.
Corporate legal may include security requirements in contracts with vendors and suppliers, but how are they enforced? Do contract administrators ensure that adequate levels of security and compliance exist for their subcontractors? Do risk management practices and internal teams consider the supply chain when determining organizational risk? Does organizational incident response planning include threat detection, analysis, response and remediation activities for the supply chain as a whole? Does IT/infosec have to take on the burden of securing suppliers who may not have the capability?
Sharing threat intelligence with the supply chain community is a logical necessity, especially for shared threats, alerts and advisories, but how can this process be implemented across organizational boundaries and who is best position to guide the implementation and participation?
While traditional cyber-threat sharing practices provided by ISACs and ISAOs exist for similar industries and geographical sectors, the level of member engagement varies and breaches are not always announced due to legal constraints and potential business impacts. Sharing organizations in this structure often compete for the same business and owners are not bound (nor do they always desire) to release information that may result in a negative impact or optic for their business.
However, Primes and subcontractors in a supply chain share a financial interest in the delivery of contractual services, products or overall mission success. In many cases the attack vectors (or attack surface) are also the same where direct and timely threat intelligence may stop or minimize the escalation of an attack before it expands from one supplier to the next.
While the problem of supply chain cybersecurity can seem overwhelming, there are steps you can take. Here are just a few things to think about.
- Evaluate your organizational structure: as supply chain cybersecurity can touch many areas, you may need a task force to work towards securing your supply chain. This team should be empowered to hold lower level suppliers accountable, while being accountable themselves for the overall supply chain security picture
- Identify and empower supply chain leadership: ensure that key contracts are reviewed and monitored to ensure that subcontractor security practices are maintained through the lifecycle of the contract and that threat intelligence and incident response capabilities are working together with the larger enterprise
- Ensure that data protection and stakeholder communication requirements are addressed: specifically concerning incidents, breach notifications and industry or legal reporting requirements
- Work to foster trust in threat sharing among your supply chain partners: no matter what technology they use, threat sharing environments are communities of humans first. Trust often overcomes delays in communications, unnecessary checks and balances, and hesitation or reluctance when announcing indicators of an attack or a potential breach that may affect members in the supply chain. Trust isn’t something that happens on its own; it is created by open and transparent leadership and communication. It includes straight talk, the ability to produce results and the ability to restore trust when trust is lost. To quote Stephen M.R. Covey: “Trust is not a soft, social virtue: it’s a hard economic driver, for every organization.”