Increasingly, hackers are using more sophisticated methods to attack companies' supply chain management software, ultimately disrupting operations and wreaking havoc on their networks.
Although there are steps organizations can take to minimize the damage caused by supply chain attacks, as well as to shore up defenses after attacks, the smartest option is to prevent these breaches from ever happening.
Cybersecurity best practices
One thing supply chain managers must do is ensure that they're using reputable, industry-tested suppliers, said Justin Bateh, supply chain expert and professor of business at Florida State College at Jacksonville.
When using third-party service providers that have virtual access to information systems, supply chain managers and vendors must have a certain level of trust, as well as transparency about what data is available, who has access to the data and how it will be used, he said.
Jason Rhoades, a principal at Schellman & Co. LLC, a provider of attestation and compliance services in Tampa, Fla., agreed.
Today's enterprise must focus on these relationships and ensure that vendors and suppliers are taking security seriously and using the appropriate measures to instill trust in their business relationship, he said. Performing security assessments and validations, such as [Service Organization Control] examinations and ISO/IEC 27001 certifications, is a great way to build trust in the supply chain.
"However, trust isn't enough, and supply chain managers must ensure that there are hierarchical levels of access, compliance training is present, [and] auditing and evaluation mechanisms are utilized," Bateh said.
Supply chain management involves different processes within a business that are managed in different silos, but that are able to communicate with one another, said Alex Hsiung, a manager at Schellman.
"From end to end, when you're creating a new product, you want each piece of the supply chain to ultimately have the same minimum security requirements throughout," Hsiung said. "You have to ensure that there's consistent application of those security controls to mitigate the risks."
Consequently, organizations need some kind of internal cyber-risk management program in place, said Sean Peasley, a partner and leader in cyber-risk services at Deloitte & Touche.
"The program should include the types of risks they're trying to alleviate, [as well as] the various leading practices or standards or regulatory mandates that they're considering to manage those risks," Peasley said.
Enterprises can then use this risk management approach to evaluate the third-party services, software and cloud vendors accessing their environments and ensure that they follow the same cyber-risk practices, according to Peasley.
"That's the first step -- to have either a supply chain risk program or vendor risk management program to [define] the type of security controls that [an organization] requires from its vendors, from the encryption requirements to the authentication requirements and data protection requirements," he said. "Those requirements should be included in the contract."
The contract should also include an audit clause to ensure the organization has the right to audit and test the supplier's security controls periodically or if there's a major change in the relationship, Peasley said.
Christophe Menant, global strategy lead for security strategy, architecture and risk management at DXC Technology, an IT services company in Tysons, Va., agrees that a best practice is to consider the cyber-risk management of each supplier in the overall cyber-risk framework of the organization.
Looking at software from suppliers, the best practice is for an organization to define its cybersecurity requirements, which should be linked to its security policy, and ensure that its vendors are complying with those requirements, he said.
Mind the human element of supply chain attacks
However, according to Hsiung, organizations also need to take the human aspect into consideration to prevent supply chain attacks.
"At each level of the supply chain, all these people who touch the enterprise resource planning system or the supply chain management system should be subject to some level of training and awareness," he said.
That will enable them to keep abreast of any major concerns and any risk factors that they could be exposing themselves to, especially in how they handle data and how they process that data, Hsiung said.
"It's also really key that those policies are made available and that employees are made constantly aware of them," Hsiung said. "And [enterprises should] enforce compliance with those policies by administering a competency test after the employees read the policy to make sure that they've ingested that information and retained it."