[BreachExchange] 7 Strategies to Defend Against Supply Chain Risks in the Digital Era

[Audrey McNeil]

http://www.securitymagazine.com/articles/87578-strategies-
to-defend-against-supply-chain-risks-in-the-digital-era

With the rise of digital and cloud technologies, business models have
evolved greatly. In recent years, we’ve seen an increasing number of
businesses that are essentially “born in the cloud,” with infrastructure
that is fully supported by cloud services. For example, Amazon Web Services
(AWS) makes it affordable and easy to start an online company that can
scale to compete with larger, well-funded rivals. Similarly, YouTube makes
it easy to create and distribute promotional videos, while other social
media channels, such as Facebook and Twitter, enable company messaging and
marketing campaigns to reach millions around the world. The internet and
the cloud are the great equalizers – allowing startups to effectively
compete with established companies of any size.

But even brick and mortar companies are increasingly leveraging the
internet and cloud services to expand their business. As traditional
business models have changed to incorporate these resources, the security
risks presented have evolved as well. In today’s world of digital business,
the security risks faced by the majority of companies have largely shifted
into the cyber realm.

In addition, businesses today now have a much larger dependency on
third-party providers and suppliers than they’ve ever had in the past.
While suppliers can allow companies to be more innovative, create new
products, and further level the playing field against larger competitors,
there are also many new dangers and risks that can arise in such
distributed ecosystems.

These risks are not hypothetical. Over the past few years, two of the more
memorable cases of third-party partners causing security breaches involve
The Home Depot and Target. In November 2014, Home Depot disclosed a breach
perpetrated by hackers who broke into corporate systems using credentials
stolen from a third-party vendor. In December 2013, Target suffered a huge
data breach that resulted in 70 million stolen credit card records. The
attackers were able to breach Target’s system via a third-party HVAC
provider. And other data breaches and security vulnerabilities seem to make
it into news headlines on a regular basis.

Protecting Against Supply Chain Risks in the Digital Era

Third-party partners and suppliers remain essential requirements for any
business, but for cloud-based companies, this dependency is significantly
elevated. It is critical that companies understand and take appropriate
steps to manage the risks in their supply chain.

Here are seven best practices that can help all organizations – whether
cloud-based or traditional, large or small – protect against third-party
threats.

1. Implement a Business Impact Assessment: Conduct a business impact
assessment to understand the level of dependency on each third-party
partner. Typically, third parties that play a more critical role in
supporting the business will present greater security risks.
2. Know Your Partners: Keep an up-to-date and accurate record of all
business partners and the role that each plays. Relationships evolve over
time, and it is important that any changes are captured as they happen.
3. Document Security Policies: Have a security policy documented for third
parties that explains what is expected, how data should be handled, and
what needs to happen in the event of an incident. Legal counsel should also
be sought to ensure that the terms of such documents are legally binding
and enforceable.
4. Prioritize Communication and Education: Communicate security needs to
all partners. Some third parties may not yet appreciate the need for
security. If awareness is lacking in the partner ecosystem, an element of
education should also be considered.
5. Provide Technical Assurance: Implement technical controls, especially
when a third party has direct access to corporate systems. The existence of
certifications and audits can help provide this assurance. However,
additional technical assurance can be gained via penetration testing and
vulnerability scanning, or by deploying monitoring controls in the partner
environment. These strategies can provide a much-needed additional layer of
protection.
6. Leverage Threat Intelligence: Use threat intelligence to understand
attack vectors and identify vulnerability points where a third party may
have been breached. Threat intelligence provides actionable information
about emerging security threats, helping organizations better detect and
respond to them.
7. Create an Incident Response Plan: Create and document a joint incident
response plan that clearly maps out roles and responsibilities in the event
of an incident at a third party. Plans should include technical controls,
such as isolating critical environments; PR and media communication
strategies; and ways to end or replace the third-party service temporarily,
or even permanently if a serious breach occurs.

Partners and suppliers are a critical part of a company’s success in the
digital era. However, it’s important that organizations understand the
risks that lie within the supply chain and take appropriate steps to
protect themselves. By implementing the aforementioned best practices into
third-party security strategies, organizations can go a long way toward
enhancing their ability to detect threats, and respond in a fast and
efficient manner if a security breach occurs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161110/0ccd2015/attachment.html>