A recent report showed us that the 2020 threat landscape was largely shaped by the pandemic. As businesses raced to transition to cloud environments to keep their businesses’ lights on during the pandemic, security was largely an afterthought, but for attackers it was top of mind.
As the pandemic’s timeline of events and progress unfolded, so did attack trends shift. Brands we relied on during social distancing and remote work were attackers’ favorite disguise. Relief efforts and public health information were used as spam lures, and critical components of the vaccine supply chain were targeted. Many of us in supply chain remember the major data breaches a few years ago, suffered by large retailers like Target and Home Depot resulting from third-party relationships. Almost seven years later, supply chain security breaches are still making headlines—with the pandemic and, most notably, the SolarWinds breach that reverberated across the industry last year.
The most recent analysis estimates the average cost of a data breach at $3.86 million, with mega breaches (50 million records or more stolen) reaching $392 million. Given the surge in supply chain attacks in 2020, we can only imagine the impact when the analysis is updated.
So we must learn from 2020 to make sure history doesn’t repeat itself.
Top 5 Supply Chain Security Concerns
Supply chain leaders around the globe and across industries tell us these five supply chain security concerns keep them awake at night:
1. Data protection. Data is at the heart of business transactions and must be secured and controlled at rest and in motion to prevent breach and tampering. Secure data exchange also involves trusting the other source, be it a third party or an e-commerce website. Having assurances that the party you are interacting with is who they say they are is vital.
2. Data locality. Critical data exists at all tiers of the supply chain, and must be located, classified and protected no matter where it is. In highly regulated industries such as financial services and healthcare, data must be acquired, stored, managed, used and exchanged in compliance with industry standards and government mandates that vary based on the regions in which they operate.
3. Data visibility and governance. Multi-enterprise business networks not only facilitate the exchange of data between businesses, but also allow multiple enterprises access to data so they can view, share and collaborate. Participating enterprises demand control over the data and the ability to decide who to share it with and what each permissioned party can see.
4. Fraud prevention. In a single order-to-cash cycle, data changes hands numerous times, sometimes in paper format and sometimes electronic. Every point at which data is exchanged between parties or shifted within systems presents an opportunity for it to be tampered with—maliciously or inadvertently.
5. Third-party risk. Everyday products and services—from cell phones to automobiles—are increasing in sophistication. As a result, supply chains often rely on four or more tiers of suppliers to deliver finished goods. Each of these external parties can expose organizations to new risks based on their ability to properly manage their own vulnerabilities.
So, what’s it going to take to tackle supply chain security?
Part of the challenge is that there is no single, functional definition of supply chain security. It’s a massively broad area that includes everything from physical threats to cyber threats, from protecting transactions to protecting systems, and from mitigating risk with parties in the immediate business network to mitigating risk derived from third, fourth and “n” party relationships. However, there is growing agreement that supply chain security requires a multifaceted and functionally coordinated approach.
Supply Chain Security Best Practices
Supply chain security requires a multifaceted approach. There is no one panacea, but organizations can protect their supply chains with a combination of layered defenses. As teams focused on supply chain security make it more difficult for threat actors to run the gauntlet of security controls, they gain more time to detect nefarious activity and take action. Here are just a few of the most important strategies organizations are pursuing to manage and mitigate supply chain security risk.
Security strategy assessments. To assess risk and compliance, you need to evaluate existing security governance—including data privacy, third-party risk, and IT regulatory compliance needs and gaps—against business challenges, requirements and objectives. Security risk quantification, security program development, regulatory and standards compliance, and security education and training are key.
Vulnerability mitigation and penetration testing. Identify basic security concerns first by running vulnerability scans. Fixing bad database configurations, poor password policies, eliminating default passwords and securing endpoints and networks can immediately reduce risk with minimal impact to productivity or downtime. Employ penetration test specialists to attempt to find vulnerabilities in all aspects of new and old applications, IT infrastructure underlying the supply chain and even people, through phishing simulation and red teaming.
Digitization and modernization. It’s hard to secure data if you’re relying on paper, phone, fax and email for business transactions. Digitization of essential manual processes is key. Technology solutions that make it easy to switch from manual, paper-based processes and bring security, reliability and governance to transactions provide the foundation for secure data movement within the enterprise and with clients and trading partners. As you modernize business processes and software, you can take advantage of encryption, tokenization, data loss prevention, and file access monitoring and alerting, and bring teams and partners along with security awareness and training.
Data identification and encryption. Data protection programs and policies should include the use of discovery and classification tools to pinpoint databases and files that contain protected customer information, financial data and proprietary records. Once data is located, using the latest standards and encryption policies protects data of all types, at rest and in motion—customer, financial, order, inventory, Internet of Things (IoT), health and more. Incoming connections are validated, and file content is scrutinized in real time. Digital signatures, multifactor authentication and session breaks offer additional controls when transacting over the Internet.
Permissioned controls for data exchange and visibility. Multi-enterprise business networks ensure secure and reliable information exchange between strategic partners with tools for user- and role-based access. Identity and access management security practices are critical to securely share proprietary and sensitive data across a broad ecosystem, while finding and mitigating vulnerabilities lowers risk of improper access and breaches. Database activity monitoring, privileged user monitoring and alerting provide visibility to catch issues quickly. Adding blockchain technology to a multi-enterprise business network provides multi-party visibility of a permissioned, immutable shared record that fuels trust across the value chain.
Trust, transparency and provenance. With a blockchain platform, once data is added to the ledger it cannot be manipulated, changed or deleted, which helps prevent fraud and authenticate provenance and monitor product quality. Participants from multiple enterprises can track materials and products from source to end customer or consumer. All data is stored on blockchain ledgers, protected with the highest level of commercially available, tamper-resistant encryption.
Third-party risk management. As connections and interdependencies between companies and third parties grow across the supply chain ecosystem, organizations need to expand their definition of vendor risk management to include end-to-end security. This allows companies to assess, improve, monitor and manage risk throughout the life of the relationship. Start by bringing your own business and technical teams together with partners and vendors to identify critical assets and potential damage to business operations in the event of a compliance violation, system shutdown, or data breach that goes public.
Incident response planning and orchestration. Proactively preparing for a breach, shut down or disruption, and having a robust incident response plan in place is vital. Practiced, tested and easily executed response plans and remediation prevent loss of revenue, damage to reputation and partner and customer churn. Intelligence and plans provide metrics and learnings your organization and partners can use to make decisions to prevent attacks or incidents from occurring again.
Jonathan Wright is managing partner - service line leader with IBM Services.