Fighting Supply Chain Threats Is Complicated

By Adam Philpott · January 19, 2022

Relying on the kindness of strangers is not an ideal strategy for CISOs and CIOs. And yet that is the precise position where most find themselves today while trying to battle cybersecurity issues across their supply chain. While these supply chains have plenty of their own challenges, such as global disruptions of distribution, our recent research shows that these challenges bring extreme opportunity to take a completely new and updated look at your cybersecurity strategies and processes.

It’s not as though businesses rely on their partners any more today than they did ten years ago. Your needs have not changed and are unlikely to change, except those rare instances where you may choose to manufacture your own supplies rather than rely on partners. Consider, for example, Costco creating its own gigantic chicken farm. Other than outlier examples like this, partner reliance is relatively stable.

What is changing with the supply chain is how much system access is being granted to these partners. They are getting access they didn’t always get and far deeper access as well. As technology advances to allow such access, businesses may be unaware – or accept as a norm – the dangers or challenges this access could pose.

Given the wide range of partners, suppliers, distributors, contractors, outsourced sales, cloud platforms, geographical specialists, and sometimes your own largest customers – the cybersecurity complexities are growing by orders of magnitude. Basically, the more integrations that businesses accept, the higher your level of risk is. To be more precise, the risk doesn’t necessarily grow with the number of partners as much as the risk grows with the number of partners whose cybersecurity environments are less secure than your own environment.

Now, as daunting and debilitating to business as this sounds, the exact opposite is true. Today’s supply chain woes and the threats that emerge from them prove there is a tremendous impact to be made when we change what security means and what it can do. Imagine if instead of being relegated to the inevitability of being breached and managing the associated consequences, you could intelligently get ahead of threats and keep focus where it should be – moving your business forward.

Setting a new tone

To even begin to craft a cybersecurity strategy to manage partners and a global supply chain, CISOs need to have a candid understanding of what a partners’ security level truly is. That is tricky, given that many of those partners themselves may not have a good sense of how secure or insecure they are!

One suggestion is to revise contracts to make it a requirement for all partners to maintain a security level equal to your business. The contract must not only specify penalties for non-compliance (with these penalties being sufficiently costly so it makes no sense for a partner to take any chances), but also specify means to determine and re-verify that security level. Surprise inspections and the sharing of extensive log files would be a start in kicking off a more proactive strategy that can work in concert with detection and response for optimal protection.

Here at Trellix, we recognize the power of adaptive prevention to finally outpace and outwit the bad actors. As threats continue to evolve, pivoting more and more in real time to inflict greater damage, security needs to do the same. With this outlook and approach in mind, businesses can lead with confidence when working with partners instead of uncertainty their tactics are not as secure as your own.

We know that since almost every business is dependent on the supply chain, it is a prime target for cybercriminals looking to cause disruption and breach wider networks. We are already seeing a spike in activity and our research found that a vast majority of global enterprises (81 percent) said that they are seeing far more attacks since the beginning of COVID-19.

Attackers are going to continue to leverage the global supply chain as an initial entry vector, accessing the network through a trusted connection, system, or user. As organizations continue their digital transformation, including ever-more cloud services, managed services, and endpoint modernization, the risks of supply chain threats will increase as its prevalence as a vector does. But despite this risk increasing, businesses have the ability to lead with confidence by implementing a security strategy that is alive and embedded, enabling detection, response, and adaptive prevention at the same time.