Fast becoming one of the biggest buzzwords in cyber, supply chain security is something that every organization needs to be thinking about. Private companies in particular have a bit of a view into the future and can use that to their advantage.
Unfortunately, in today’s landscape, most of corporate America views cybersecurity as a cost center within their organization. It is an expense to be dealt with -- a necessary evil.
As bad actors continue to find new ways to infiltrate the existing cybersecurity measures of organizations, this attitude will become a larger and larger problem.
How can I know what the future looks like with respect to supply chain security?
It’s actually quite easy.
All you have to do is look at the measures the Department of Defense (DoD) is implementing today.
Similar to the way worker safety and the Occupational Safety and Health Administration (OSHA) matured and expanded from early measures taken by government to encompass the private sector, I predict you’ll see a similar pattern with cybersecurity.
Read more below to learn what to expect from the DoD’s example.
What is supply chain security?
Supply chain security refers to the security surrounding all of the vendors and third parties you interact with as part of your business operations.
Each and every vendor, contractor or external party that has access to your network or system is a potential vulnerability or threat to your own business’ cybersecurity.
The practices and policies you put in place for your business, as well as those that you require of all vendors before you allow them access to your network and data, are what make up your supply chain security policy.
Why is supply chain security important?
The global average cost of a data breach is estimated at $3.9 million. Combine this with data that shows 80% of all cyberattacks take place in the supply chain, and the number of supply chain attacks is increasing dramatically, up 78% in 2018 alone, and you have a recipe for disaster.
The Target breach is perhaps the most famous, but far from the only, example of a very costly supply chain breach.
Target was forced to pay upwards of $18.5 million in damages because its HVAC supplier had insufficient security measures in place, allowing hackers to reach into Target’s systems through their own.
While private companies have a very strong degree of control over the way their own organizations approach cybersecurity, this may give them a false sense of security.
What they have far less control over or knowledge about, is what each and every vendor they interact with is doing to ensure their own security (and by extension the security of the companies they do business with).
Your network of outsourced vendors or suppliers may each have hundreds or thousands of endpoint devices (or potential entry points) on their own network. So, for each vendor you work with, you are multiplying your risk exponentially.
Not only is your exposure large, but attacks through vendors are also becoming increasingly popular and prevalent.
Your supply chain can extend down to the smallest components included in your product or service.
Take a physical product, for example. The bolts you purchase to build your product are part of your supply chain.
If a hacker gained access to the network for your bolt manufacturer and changed the machine settings that controlled the strength of that bolt, it could easily cause bolts to fail and your products to fall apart under stresses they should normally be able to withstand.
This example highlights why potential for harm is not limited to simply gaining a list of emails from your database.
This makes your supply chain potentially one of your largest threat vectors, which is why the policies you have to protect it are so important.
The good news is that while this may sound a bit intimidating, there are things you can do to protect your organization.
What is the DoD doing to ensure supply chain security?
Nowhere is supply chain security more important than within the US Department of Defense.
DoD handles some of our nation's most sensitive information and works with hundreds of thousands of private contractors, many of which are small and medium sized businesses without robust internal IT departments.
The DoD recently launched its Cybersecurity Maturity Model Certification (CMMC) program with the goal of strengthening cybersecurity protection throughout the entire defense industrial base (DIB).
Under CMMC, all contractors who provide products or services to the U.S. Department of Defense will be required to demonstrate that they meet rigorous cybersecurity requirements before they can win defense contracts.
Essentially, this program is controlling and mandating specific security levels for each and every member of the supply chain for the DoD.
Within 2020, the DoD will expect every company with which it enters into a new contract, regardless of the type of work it does or the information it handles, to become CMMC certified at some level.
The overarching purpose of CMMC is to provide the DoD with the assurance that the contractors in its supply chain are taking the necessary precautions to ensure that the data and information it shares with them is fully protected, and to offer contractors a means to benchmark themselves against a clear and consistent set of security processes, practices, and methods.
Prior to CMMC, there were plenty of stated requirements for cybersecurity that contractors had to adhere to, however, there was no centralized certifying body that actually confirmed they did so.
It was pretty much up to organizations to say they adhered to said standards, but the proof was not required.
CMMC also provides stringent consequences for not having the correct security standards in place. Contractors will not be able to win bids, their primary source of income as an organization, without certification.
What changes should the private sector expect to make to supply chain security?
As a business in the private sector, how does all of this apply to you?
In my opinion, this is about as close as you’ll ever get to having a crystal ball. It is a view into the future you can expect in terms of cybersecurity regulations that will be mandated and administered by the US government.
Similar to the expansion of worker health and safety requirements for private sector businesses with the establishment of OSHA in 1971, you’ll see the private sector requirements follow suit from the requirements being imposed on DoD contractors.
There will eventually be a centralized government body, like OSHA, that will manage and certify businesses to an expected level of cybersecurity, and that centralized body will require that your supply chain adheres to certain requirements as well.
How can you start improving your supply chain security now in preparation?
You should start by reviewing what requirements are already detailed in CMMC. That is a great place to begin to understand some of the expectations you will someday be faced with as a private sector business.
This is also a good time to revisit your own supply chain or vendor security policy. It may be time to begin imposing stricter standards to protect yourself now.
Take a look at what this enterprise organization implemented to improve their supply chain security.
You might be tempted to put off changes until you absolutely have to make them.
Why should you start making changes to your supply chain security policy now, instead of waiting until the government requires you to?
Well, first and foremost, you should want to have better supply chain security, and you should start improving it now because it is the right thing to do.
Remember that any breach means you are allowing some level of harm to come to your individual customers.
Sometimes it is easy to forget that there is a human at the end of this conversation, not just a dollar sign on a spreadsheet.
Remember our failed bolt example from earlier in the article? That could mean a person dies when your product fails.
Every email that is released when your database is breached belongs to an individual who now has had their identity stolen and has to go through a pretty painful process to restore it.
These are your customers -- the people you have promised to serve -- and you are putting them in harm’s way by not addressing this now.
You have built trust with your customers. Don’t let that trust be misplaced.