According to the Department of Homeland Security, the globalization of supply chains represents a significant vector for cyber attacks. Using the complex web of contracts and subcontracts for components, services, and manufacturing, bad actors are working to penetrate sensitive research and development programs, steal personally identifiable information (PII) and intellectual property, and insert malware into critical components.
While it may be nearly impossible to defend against all types of attacks, these best practices will improve the odds.
Identify All Elements of the Supply Chain
You have to know all of the companies involved in your supply chain to gain visibility into risk management and monitoring. Subcontractors can become involved without your knowledge. It becomes impossible to manage the risk of an adverse event fully. A problem at an unknown subcontractor could be an unwelcome surprise.
Limit Access and Exposure
Once you know all the elements of the supply chain, you can limit access to information to reduce the risk of exposure. Each participant should have access to only the information and permissions necessary to fulfill their role.
Train on Supply Chain Risk Management
Train personnel on cyber security strategies, practices and policies. Awareness of vulnerabilities from social engineering attacks is critical. Many significant breaches have been due to human error. Even the best security technology will fail if people provide a way around it. Update training regularly to address evolving information on threats and defenses. Security staff should pursue professional certifications and maintain continuing professional education.
Build a Proactive Defense
Your cyber defenses should start with contracts with key partners such as 3PLs. Contract language should include metrics for supply chain security as well as other performance measures. Verify their compliance with applicable laws, regulations, and industry standards. Keep in mind there are state regulations as well as federal laws requiring compliance. Also, view physical security and cybersecurity as equal priorities.
Identify critical assets and services and develop plans to restore those in the event of an attack or failure. Response plans should include damage containment as well as recovery.
One paradigm shift is to choose partners and providers that provide the best value rather than lowest cost. The low-cost providers typically don't have the resources to support world-class business continuity practices.
Audit your supply chain risk management process and incorporate lessons learned for future development. Include intrusion testing for hardware, software and social engineering to identify gaps. Encourage a continuous improvement mindset. After all, the bad actors never stop looking for new ways to attack. Assessments should include research and due diligence on suppliers before doing business with them. That includes asking about their audits and standards compliance.
It's all too easy to become complacent after spending time and resources on creating a data security system for your company. Keep in mind that continuous vigilance is necessary to ensure the plan and its execution remains adequate for the task.
Find out additional best practices for your data security and business continuity planning. Download our resource guide, Business Continuity for Your Supply Chain.
Interested in getting industry updates sent to your inbox? Subscribe below.