In 2019, British Airways was fined $230 million for violating the EU’s GDPR when a breach of their system compromised over 380,000 user records. Although the problem was reportedly caused by malware installed at third-party websites, the responsibility – and the penalty – fell on British Airways.1
Ultimately, the weakness was in British Airways’ supply chain and, increasingly, hackers are finding that the best way to infiltrate their target is through a supplier or other related third-party. This type of attack, which can leverage third-party website content, vendors’ software or third-parties’ credentials, is on the rise, with Symantec reporting a 78-percent increase in 2018.
Midmarket companies are starting to pay attention to the danger of supply chain attacks and are much more aware of them than they used to be. That’s partly driven by a desire to ensure their own security, but also by the fact that they are themselves a part of their customers’ supply chains.
The best way to protect your organization, and yourself, is to make security an integral part of your overall supply chain management program. According to the Council of Supply Chain Management Professionals, supply chain management includes planning and managing all activities that are a part of sourcing, procurement and logistics. It covers more than just your vendors and includes collaboration with channel partners of all types: suppliers, intermediaries, third-party service providers and customers.
When looking at the security of your supply chain, ask vendors to share the results of their security assessments, audits and penetration tests. Make sure you're looking at each party’s overall security, not just the connection between you and the individual party. Although the connection by which data travels from point A to point B may be secure, that doesn’t protect you if incoming data has already been infected by something in a vendor’s network. A secure connection also isn’t going to protect your organization’s data if the vendor is storing it in an insecure way.
Below are some additional considerations to help bolster the security of your supply chain relationships:
- Make supply chain security a part of your contracts. For example, you might require security audits. Specify how often the audits must happen and who pays for them. In fact, some CISOs are requiring such audits before supply contracts are signed. Confirm with your suppliers that assessments cover not just the technical, but also policies, processes and procedures to make sure best practices are specified and followed.
- Don’t accept data directly from an outside party. Create a quarantine area so you can ensure it is safe before allowing anything to connect to your systems.
- Create a system to verify the legitimacy of files. Many IT departments today check the digital signature or the hash value - a unique value that corresponds to the content of the file - prior to downloading materials. This is a good practice to avoid accidentally downloading altered files.
- Always specify which party is responsible for data security in the life cycle of that data and identify any point in which that responsibility may shift. All parties should be clear in their understanding of what they are responsible for and when.
- Know your hardware, including the components within the hardware. One network card with outdated firmware could be a problem.
- Ensure that equipment is secure in transit. Is the vendor using a reputable shipping company with proven security? It’s important to ensure there can be no tampering while the goods are in transit.
- Understand the security measures at your cloud service provider, including who is contractually responsible for what kinds of security. Often, the data owner – not the service provider – is responsible for certain aspects of security. There have been instances when cloud customers failed to change default settings, inadvertently making private data publicly searchable. It’s best to treat the cloud environment just as carefully as you do your on-premises environment.
Another good practice is to check what industry standards a supplier meets. In addition to broad security standards, there are some supply-chain specific ones, such as ISO 20243. There may be others more specific to your particular industry, so do your due diligence and know what the gold standard is for your industry and hold your vendors to it.
For more information on how to improve your organization’s security posture, visit us at www.btbsecurity.com.
1 SANS Institute’s “Success Patterns for Supply Chain Security”