C-Suite Guide to Supply Chain Cybersecurity
Analyst firm Gartner predicted “By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.” And we’ve seen supply chain attacks repeatedly appear in recent headlines—notably the Solarwinds breach that affected up to 30,000 organizations.
Supply chain security has become such a hot topic that the US government prohibits the use of certain foreign-made equipment in government contracts (called Section 889). And that’s just the beginning as the government requires compliance with the Cybersecurity Maturity Model Certification, or CMMC, in an attempt to eradicate supply chain issues with government defense contractors. And other governments are doing the same–such as the European Union. All this will no doubt impact Asia: the United Nations estimates around 42% of global exports are sourced in the APAC region.
Many are asking themselves: What does a responsible security practice look like? Here’s a checklist of how any company can help secure their supply chain of their supply chain:
1. Recognize you’re part of a cyber supply chain ecosystem–not just a physical one.
Setting up digital integrations between supply chain partners brings massive efficiency. But it also brings complexity. According to McKinsey, “on average, an auto manufacturer has around 250 tier-one suppliers, but the number proliferates to 18,000 across the full value chain.” Chances are they share significant internet interconnectivity. Even if your supply-chain ecosystem is just one twentieth of the automotive industry–you’re still very interconnected. The same holds for smaller firms. One study found that a 35 person company has 102 apps–nearly three per employee. This interconnectivity represents a significant overhead for security management and, more importantly, a large and likely unguarded attack surface.
2. Admit you’ll be attacked and probably breached.
Last year, security firm Palo Alto Networks reported that attackers can scan the entire Internet in under one hour. Cloud speed and scale has made scanning the attack surface not just easy–but cheap as well, costing only $10 per scan. Why are they scanning the internet? To find vulnerabilities. If an attacker wants to breach a large manufacturer but their defenses are solid, then just scan supply chain partners, find a weakness and hopefully gain access to the bigger target. (And maybe leave some ransomware behind while they’re at it). Automation and sophistication characterize how attackers pursue even the smallest company.
3. Get the right expertise.
While cybersecurity has gotten the attention even at the highest levels of government and Boards, it’s still a geek’s domain. Often, small to medium firms like to double the IT person as a cyber defender. Instead, seek out dedicated expertise. In fact, a blossoming industry has sprouted solely dedicated to helping understaffed organizations shore up their cyber defense with external expertise.
4. Funding for cybersecurity is the cost of business in an interconnected world.
Cybersecurity isn’t cheap–but it’s the equivalent of putting locks on your doors and windows. You just do it, no questions asked. Today, the same is even more true for cyber so get used to the new normal.
5. Have your responses ready for the inevitable RFP.
Prepare now for supply chain partners grilling you on your cyber posture. The good news? They’ll likely use NIST’s standard list of questions. Spend some time proactively answering–and executing!–the cybersecurity activities NIST suggests.
Recent disruptions globally have shown the world just how supply chain matters. Cyber-attacks on supply chains in recent months underscore–more than ever–that this is a team sport. As Jae Lee, Quincus VP of Engineering notes, “Data theft, cyber terrorism, and malware pose a high threat to supply chain management. Common supply chain cyber security activities are done to minimize risks including disaster recovery drills between trusted vendors, and disconnection of critical machines from external networks.”