A global pandemic hit organizations across the world hard, but many of us were able to continue doing business, even amid this uncertainty. Because of that, it’s probable you are reading this while working from your home office. That’s thanks in part to today’s technology, which has become increasingly intricate and decentralized, and opened doors to global markets and new supply chain relationships.
Technology produced by our supply chains today is more effective, efficient and complex than at any point previously. Innovations in technology continue to propel it forward. With AI, machine learning, predictive analytics, the internet of things and more, we can expect a rapid rate of adoption for the foreseeable future.
The benefits of these innovations have been incredible, but as technology improves and allows us to work in ways previously unseen, we introduce new areas of opportunity and potential vulnerabilities for bad actors to exploit.
High-Profile Supply Chain Breaches
A breach at one point in your supply chain has the potential to spread to other points within your organization’s infrastructure. Supply chain breaches will cost you more than just money, but reputation, litigation, time and even lives. This threat is increasing more and more – just last year we saw a historic supply chain breach with the SolarWinds attack.
SolarWinds estimates up to 18,000 customers downloaded the tainted code that enabled the breaches. With the investigation still being conducted, the extent and impact of the damage from the breach is still unknown.
What is known, is the effect of this breach is significant and potentially long lasting. Knowing the true depth of the damage caused will take a long time. We could see future news stories linking new breaches back to the initial attack.
Because of the access these actors had, and the length of time they had it, it is hard to know just how much damage was done and if they left something behind permitting a backdoor that can be exploited in the future.
There have been other serious breaches to start the new year also. Accellion, hacked in December, resulted in the theft of personal information and blocked system access of many high-profile government entities, companies and universities who use their secure file transfer software. SITA, a vendor for airlines, was breached and passenger data stored on the company’s servers was compromised. Microsoft suffered Exchange Server attacks in January, opening companies up to data theft and ransomware attacks.
You Are Only as Strong as the Weakest Link in Your Chain
These supply chain breaches can threaten more than just privacy of information, they can be life threatening. Like in 2017, when hackers disabled a Saudi refinery with code they implanted, enabling access from the corporate network down to system controls. A bug prevented the code from executing properly and causing an explosion, but this breach could have cost lives.
The theme in all these breaches is a link in the supply chain being compromised, opening companies up to attack through their third-party partners’ technologies. This is a growing challenge as corporations’ IT or OT networks continue to grow in complexity and expand to include many third-party partners, each needing access to various data and controls within the business.
It is one thing to ensure your company is secure, but to ensure every company working with you is secure is another challenge entirely. How are you certain your partners are doing their best to manage their vulnerabilities as well?
Improving Supply Chain Security
As companies are introducing more touchpoints in their supply chains, diligence is needed to ensure risk is assessed and mitigated. Each time a company adds a new technology or service provider, a new element of risk is also added. This creates a greater need for a new level of insight into the security and reliability of partners.
Ensuring that best practices like penetration testing, security assessments, modernization of processes, secure remote access with role-based access control and the ability to prove due diligence of your security and controls are important not just for you to do, but for your partners as well.
As a cybersecurity provider in the IT/OT space, and as a partner dedicated to being a secure, reliable link in your supply chain, we understand the necessity to be forward-thinking and staying ahead when it comes to supply chain security and controls.
That’s why we became the first software company to complete the SOC for Supply Chain examination. “As our technology protects and secures critical infrastructure, TDi has to make sure it protects our customers that use our technology,” CEO of TDi Technologies, Bill Johnson, said.
In April 2020, the American Institute of CPAs (AICPA) introduced a new standard for risk mitigation: The SOC for Supply Chain examination. Formally called the “Report on Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System,” its intent is to help organizations and business partners identify, assess and address supply chain risks.
“Although the SOC for Supply Chain is the latest SOC reporting option, we have seen growing interest in the marketplace similar to the early days of the SOC 2,” Principal at Schellman & Company, LLC Ryan Buckner said. “Only time will tell, but the SOC for Supply Chain report may grow to become the de facto SOC report for software products.”
The AICPA says it developed the solution to “foster greater transparency in the supply chain —a market-driven, flexible, and voluntary reporting framework. This resource helps organizations communicate certain information about the supply chain risk management efforts and assess the effectiveness of system controls that mitigate those risks.”
With a SOC for Supply Chain examination, you can be assured that your partner is doing its part to ensure the effectiveness of its controls and security are in place to properly protect against bad actors within the supply chain. This transparency is crucial, as threats to supply chains will continue to grow in sophistication and our supply chains will continue to grow in complexity.
It’s up to each business to ensure it is doing its part to proactively defend against and ensure that not only is it keeping itself secure, but it is being a strong link in its partner’s supply chains.