Earlier this year, US-based federal regulators urged companies to ramp up supply chain attack defenses. But a lot of organizations continue to maintain lax supply chain protocols and flout supply chain security best practices, increasing the risk of supply chain attacks. The Kaseya software supply chain attack, and previously, the SolarWinds event, reinforced the importance of developing a full supply chain security program.
While your organization may have a supply chain security program in-place already, any organization can have security blind spots. These 10 insights into securing your supply chain can reduce vulnerabilities and mitigate your risk.
- Know your vendors. Ensure that your organization is aware of each service provider who contributes to your extended supply chain. Due to the massive scale of cyber ecosystems and newly added shadow IT, decision-makers may discover business relationships that they were not previously aware of. Full visibility of vendors enables improved tracking and security management.
- Conduct a risk assessment. Formal processes -from security questionnaires to on site visits- can help your organization obtain a complete understanding of how seriously your vendors and suppliers adhere to supply chain security best practices. While these initiatives can be time consuming, they can yield significant payoffs in the long-run.
- Implement least privileged access. Organizations commonly provide undue, excessive access and permissions to employees, partners and other third-parties. As a result, supply chain attacks are easier to execute than they should be. By implementing least privileged, and assigning all persons and software necessary permissions only, your organization will mitigate risk.
- Network segmentation. Short of true need, third-parties should not be able to access every point within your network. This is unnecessary. Implement network segmentation to divide the network into zones based on business functions. When organized this way, it’s more of a challenge than it would otherwise be for hackers to compromise your business operations.
- Consider honeytokens. By implementing honeytokens, your organization can avoid serious threats. Honeytokens function as data decoys, luring hackers towards seemingly valuable assets. As hackers work their way towards these decoys, a signal alerts the organization to the presence of hackers, which the IT and/or cyber security team can contend with right away.
- Follow DevSecOps practices. Integrate security into your development lifecycle; this makes it easier to detect whether or not software has been modified in malicious ways.
- Automated threat prevention and threat hunting. Security operations centers (SOC) analysts can protect organizations from attack by improving endpoint, network, cloud and mobile security.
- Address the fourth party problem. Supply chain risks do not begin and end with third-parties. Your vendors likely have a long list of subcontractors and vendors of their own. Mitigating fourth-party risk remains difficult, although some cyber security tools can provide monitoring and tracking options for fourth-party groups.
- Security awareness. October is Cyber Security Awareness month, and you’ve likely just run a series of exercises within your organization to help employees understand phishing, smishing and ransomware threats, at the least. Security awareness initiatives should take place year-round, including friendly information about any new, common threats to watch out for.
- Assume that the possibility of a data breach remains. Develop your incident response plan, read expert insights surrounding supply chain security, and check out our piece titled The Short Guide to Why Security Programs Can Fail.
For more information about supply chain security, be sure to read our article titled 4X increase in supply chain attacks. Discover more cutting-edge business and cyber security insights when you sign up for the Cyber Talk newsletter.