Securing your digital supply chain is one of the most important things you can do this year. Recently, some of the largest breaches have been from supply chain attacks. As part of our Beyond Zero Trust blog series, we’re reviewing why your supply chain’s security is a critical piece to addressing your vulnerabilities.
Our previous Beyond Zero Trust blog about enhancing endpoint security said that much of Zero Trust focuses on the user and how they are interacting within your network and its devices. We stated that going beyond Zero Trust means not even trusting your devices within your network. Today we’re leaving your network and looking at your security from outside in.
What is Supply Chain Security
Supply chain security focuses on evaluating and managing the risks of your external vendors and partners. Your digital supply chain consists of many different relationships, and they all interact with your business and its network in different ways.
Supply chains are becoming increasingly complex. The benefits to business have been immense, but this sophistication introduces new vulnerabilities. To maintain strong supply chain security, every link needs to be evaluated and proven so you have the security assurance you need to know you are not operating under increased risk.
Today’s environment has too many supply chain security threats for you to not make this a critical point in your evaluations. The Kaseya supply chain attack is proof of this. Ransomware propagated through its supply chain and affected up to 1,500 businesses in total.
This is the inherent challenge of doing business in today’s environment. Even if your company’s security is strong, you are still at risk if those you choose to do business with are not taking their own security seriously.
How to Evaluate Supply Chain Cyber Security
Evaluating your supply chain cyber security means considering more than the product itself of a company you are considering, or how a partnership can add value to your business. You need to consider what those businesses are doing to ensure they are safe from an attack and are protecting those involved in their supply chain. You are only as strong as your weakest link in this chain.
To understand what you need to evaluate, let’s look at common supply chain cyber security risk factors below.
What are digital supply chain security risks:
- Increasing complexity in digital supply chains resulting in higher integration with partners or vendors and network access or sensitive data shared.
- Vulnerabilities in software systems you use, like backdoors inserted by attackers.
- Unknown disclosures about security practices of businesses in your supply chain (penetration testing, SOC for Supply Chain evaluations, cyber security practices and more).
The above list is not comprehensive, but it covers the critical areas that many of the most recent news-worthy attacks exploited. Considering these elements, let’s look at how you can better defend yourself.
The key takeaway here should be: Look at not only what your vendor’s technology is doing for you, but how they are protecting their self and your supply chain. Do you know if your vendors can sustain a massive attack? What is their impact to your business and how have you secured that?
If you are at the Zero Trust baseline that we discussed in prior posts, then you are already ensuring that access to your network and its sensitive data is protected with mature access control policies enforced through secure remote access. You should go further and make sure any program’s access is also least privileged.
Auditing of source code when possible and requiring cyber security best practices of your partners and vendors is also critical. Can they attest to their security practices through penetration testing of their business and their products? Are they able to prove their diligence through other processes, like the SOC for Supply Chain examination?
These supply chain security breaches are a strong reminder that it isn’t just the product we need to examine for resiliency, but the business itself of those you choose to integrate into your supply chain.
Establishing Your Cybersecurity Baseline and Going Beyond
If you didn’t catch our previous series exploring Zero Trust security, we reviewed its three core security principles of least privileged access, never trusting a connection, and assuming a breach. Stay tuned to our updates page as we continue our Beyond Zero Trust series, helping you go beyond your Zero Trust security baseline and tackle the challenges you need to be considering next.