5 Supply Chain Cybersecurity Risks and Best Practices

Threats to supply chain security have increased in the wake of COVID-19. Learn what they are and how you can defend your organization and prevent disruption and worse.

The rise of supply chain cyberthreats in the wake of COVID-19 have made a solid risk management plan even more essential than it always has been.

Supply chain cyberattacks put organizations at significant risk — risk that can disrupt their operations and damage their reputations.

Supply chain cyberattacks are on the rise and hackers are targeting every company in the supply chain ecosystem from the end-user organization to the software providers to the suppliers, said Mark Atwood, managing vice president of supply chain research at Gartner Inc.

COVID-19 has just ratcheted up a trend that was already happening.

In 2019, 40% of manufacturers had operations that were affected by a cyber incident, according to a report from Deloitte released on May 6. And from March to May of this year, there was an increase in supply chain attacks related to COVID-19, the report’s authors noted.

While definitive numbers may be hard to pinpoint, the trend is clear.

“Bad actors will act wherever they see an opportunity,” according to the Gartner supply chain cybersecurity report, co-written by Atwood. “Supply chains, which extend the envelope of enterprise risks to all business ecosystem participants, are fair game.”

To help prevent hackers from achieving their goals, understand these five supply chain cybersecurity risks and best practices in fighting them.

1. Recognize the supply chain threat landscape

Falling prey to the “it couldn’t happen to us” mentality is a big mistake. But despite clear evidence that supply chain cyber attacks are on the rise, some leaders aren’t facing that reality, even if they do understand techniques to build supply chain resilience more broadly.

To fully address supply chain cybersecurity, supply chain leaders must realize they need to face the risk reality. The supply chain is veritable smorgasbord of exploit opportunities — there are so many information and product handoffs in even a simpler one — and each handoff represents risks, especially where digital technology is involved but easily overlooked.

One of the biggest supply chain challenges is leaders thinking they’re not going to be hacked, said Jorge Rey, the principal in charge of information security and compliance for services at Kaufman Rossin, a CPA and advisory firm in Miami.

Leaders need to understand the cyberthreats posed by different parts of the supply chain, including the technology, the software, the lifecycles of their products and the vendors, Rey said.

2. Create a multifaceted supply chain security strategy

Hackers are opportunistic — they see potential exploits everywhere.

Supply chain cyber attacks are carried out with different goals in mind — from ransom to sabotage to theft of intellectual property, Atwood said.

These cyberattacks can also take many forms, such as hijacking software updates and injecting malicious code into legitimate software, as well as targeting IT and operational technology and hitting every domain and any node, Atwood said. Those vulnerabilities include the physical flow of assets — anywhere in the processing, packaging and distribution process — to the virtual flow of data or software across connected devices and systems.

With cyberattacks growing, supply chain leaders need to better coordinate with IT security and risk management leaders to understand the approaches they use, Atwood said. And these groups should work together to present a joint supply chain cybersecurity risk management approach to the business.

“In the past there really hasn’t been a good way for these two groups to come together and address supply chain cybersecurity,” he said.

3. Vet suppliers’ security and risk management practices

Although essential to an organization’s business, a supplier network puts organizations at risk. For that reason, due diligence around the security of those partners is critical.

Far too many organizations default to an “out of sight, out of mind” approach.

Most organizations don’t have in-depth, trusted and actionable insight into the security protocols and practices of the providers that supply the critical products and technologies they depend on, said Beau Oliver, vice president at Booz Allen Hamilton.

That’s a mistake.

To truly secure its supply chain, a company has to understand the risk that its vendors are introducing to the business, said Carrie Whysall, director of managed security services at CynergisTek, a cybersecurity consulting firm in Austin, Texas.

The best way to do that is by conducting a security assessment of each supplier before bringing that supplier into the organization and on a regular basis.

“You have to have a base technical questionnaire that you use every time with every vendor,” she said. “You know what you’re looking for from your security guidelines and if they can’t meet your base criteria, you don’t want them in your environment.

The formal approach to vetting supplier security and understanding any supply chain cybersecurity risk is key.

“Defining security requirements and having a cyber-risk management program to evaluate third-party (and even fourth-party) services can help organizations reduce the risk of attacks on their supply chains,” according to the Deloitte report.

4. Manage remote work endpoint risk

In some ways, supply chain management best practices in a COVID-19 world are updated versions of what should already have been happening. But the widespread move to remote work is something many leaders have not dealt with before. As an exponentially expanded number of people have begun working from home, endpoints that hackers can exploit have expanded exponentially as well.

“Sustained operations in a supplier’s remote telework environment introduce additional risks by relying on the supplier’s users to manage physical and virtual security and protection of endpoints across dispersed locations outside of the established monitoring services available to the enterprise,” Oliver said.

As a result, organizations are at risk of unauthorized behaviors on the part of their suppliers’ employees, including losing their devices or having them stolen, downloading sensitive enterprise data without adequate offline protections or introducing rogue applications, files, keyloggers and other persistent threats, Oliver said.

“Remote employees are now using their work devices to surf the web, download untrusted applications or connect through public or home Wi-Fi networks, all before they log in to their companies’ secure networks,” he said.

In addition, when a supplier’s employees work from home, they are often required to use multiple networks, various collaboration tools, and cope with cumbersome overhead processes to manage accounts and commercial cloud products. Additionally, the large variety of devices connected to home networks, such as thermostats, virtual assistants, TVs and even appliances, expand the supply chain cybersecurity risks significantly, he said. These activities create blind spots for organizations and the risks to their ERP and enterprise systems, presenting an opportunity for malicious actors to exploit corporate assets, including supply chain software.

As the world embraces the new normal of working outside the office, technology must evolve to securely maintain access to networks and sensitive data, Oliver said. Cybersecurity attacks, such as phishing scams, spam, ransomware and keyloggers that target supply chains, are rising exponentially as malicious actors take advantage of the current situation to prey on remote workers.

Common security tools, such as virtual private networks and virtual desktop infrastructures, are not enough on their own to effectively protect organizations and mitigate threats, Oliver said. That’s because they rely on the companies’ end-users to follow security policies before and after connecting to secured networks.

The need for better endpoint security is clear.

For example, organizations can do more to try to improve the security of remote workers’ mobile devices and consequently keep bad actors from hacking into the supply chain network, said Matt Wilgus, principal and security practice leader at Schellman & Co. LLC, a provider of attestation and compliance services in Tampa, Fla.

Wilgus said his company turned to mobile device management to improve the cybersecurity of its remote workers’ devices by keeping the work environment separate from the part of the system that other people in the home might be accessing.

“So, basically, if you have an asset that’s being shared, you can say [to the others], ‘Hey, when you log in, you’re going to log in to this side of the system,’” he said.

This keeps users from using devices for work and, for example, homeschooling.

To ensure their supply chains are protected, organizations and their supply chain leaders should also monitor how their remote employees are using their devices, Wilgus said.

“You should have a monitoring policy in place and tell your remote workers, ‘Anything you do while you’re connected to the network is going to be fully monitored,’” he said.

5. Address smart product security

Technologies such as IoT are helping supply chain leaders, but they also pose greater risks. Indeed, the digitization of supply chains — with its combination of physical and digital components — opens up the attack surface.

In addition, smart products have increased supply chain cybersecurity risk, given the proliferation of smart products with embedded code and sensors, according to the Gartner report.

This idea of product security has been an eye opener for both supply chain and IT, Atwood said.

“Some [in IT] would say, ‘Oh, product security, that’s the responsibility of the supply chain, manufacturing, engineering [and] product quality,’” Atwood said. “Whereas if you talk to folks on the supply chain side, they say, ‘Oh, the IT folks have that under control.’”

To ensure the cybersecurity of their supply chains, supply chain leaders need to partner up with essentially every other group in the organization to create an integrated approach, according to the Gartner report.

A silo is just another way to say “hacker opportunity.” Indeed, in the modern world where the cyber vulnerabilities will only increase as organizations use more and more digital components to the supply chain or move such components through that chain, a holistic approach to mitigating cybersecurity risk is not a nice-to-have, it’s a must-have as the attack surfaces increase by the day.

Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.