Supply Chain Cybersecurity: Entrepreneurs actively look at their own systems and networks to protect against threats and handle vulnerabilities as enterprises and organizations determine their attack surface. What about their vital partners and the supply chain, nevertheless?
With up to 80% of cyber-attacks now starting in the supply chain, breaches at even the smallest suppliers can have huge repercussions for operations at the enterprise level. The supply chain cybersecurity concern has become so strained that the Cybersecurity Maturity Model Certification (CMMC) is being rolled out by the United States Department of Defense (DoD) as a way to better protect the defense industry.
Prime contractors and subcontractors will have to achieve Cybersecurity Maturity Model Certification (CMMC) compliance to do business as part of a Department of Defense (DoD) contract. The Primes are also expected to take a greater responsibility to ensure subcontractors are implementing the appropriate security practices and compliance with the Department of Defense (DoD) standard.
One problem in securing the supply chain is where the organizational responsibility lies. Many different departments of an enterprise work with the supply chain and other critical partners, but there’s no one person or team held accountable.
Corporate legal may include security requirements in contracts with vendors and suppliers, but how are they enforced? Do contract administrators ensure adequate levels of security, and compliance exists for their subcontractors? Do risk management practices and internal teams consider the supply chain when determining organizational risk?
Does the organizational incident response planning include threat detection, analysis, response and remediation activities in the supply chain as a whole? Does IT/infosec have to take on the burden of securing suppliers who may not have the capability?
Sharing threat intelligence with the supply chain community is a logical necessity, especially for shared threats, alerts and advisories, but how can this process be implemented across organizational boundaries and who is best positioned to guide the implementation and participation?
While traditional cyber-threat sharing practices provided by ISACs and ISAOs exist in similar industries and geographical sectors, the level of member engagement varies and breaches are always not publicized due to legal constraints and potential business impacts.
Sharing organizations in this structure often compete for the same business and the owners are unbound (nor do they always desire) to release information that may result in a negative impact or optic for their business.
However, Primes and subcontractors in a supply chain share a financial interest in the delivery of contractual services, products or overall mission success. In many cases the attack vectors (or attack surface) are also the same where direct and timely threat intelligence may stop or minimize the escalation of an attack before it expands from one supplier to the next.
While the problem of supply chain cybersecurity can seem overwhelming, there are steps you can take. Here are just a few things to think about.
- Evaluate Your Organizational Structure: As supply chain cybersecurity can strike many areas, you may need a task force to work towards securing your supply chains. This team should be empowered to hold lower level suppliers accountable, while being accountable themselves for the overall supply chain security picture.
- Identify And Empower Supply Chain Leadership: Ensure that key contracts are reviewed and monitored to ensure that subcontractor security practices are maintained through the lifecycle of the contract and that threat intelligence and incident response capabilities are working together with the more large-scale enterprise.
- Ensure Data Protection And Stakeholder Communication Requirements Are Addressed: Exclusively concerning incidents, breach notifications and industry or legal reporting requirements.
- Work To Foster Trust In Threat Sharing Among Your SC Partners: No matter what technology they use, threat sharing environments are communities of humans first. Trust often overcomes delays in communications, unnecessary checks and balances, and hesitation or reluctance when announcing indicators of an attack or a potential breach that may affect members of the supply chain. Trust isn’t something that happens on its own; it is created by open and transparent leadership and communication. It includes straight talk, the ability to produce results and the ability to restore trust when trust is lost.
Trust isn’t really an easy moral virtue: for any company, it’s a harsh economic catalyst.