CyberSecOp.com

View Original

NIST Practices in Cyber Supply Chain Risk Management

Company Overview

Through its products and solutions, CyberSecOp offers cyber security tools, such as network, email, and mobile security as well as forensic investigation following a breach. As stated by the business:

The landscape of cyber threats is quickly changing. Organized threat actors are laser-focused on hacking systems and stealing data using sophisticated attacks that are tailored to compromise a specific target and evade traditional signature-based defenses, a key component of what currently constitutes basic cyber hygiene, instead of the broad scattershot attacks of the past.

SolarWinds Supply Chain Against US Agencies

The recent SolarWinds attack made the entire world aware of the danger of a cyber supply chain attack, or an attack on or through the vendors or suppliers of your company. It is becoming increasingly apparent that your business and its data are only as secure as the weakest link among your suppliers, even if you take all the necessary precautions to secure your own computer systems. This risk includes potential computer system attacks as well as the possibility of a disruption to the operations of your suppliers.

Common Risks for Supply Chains

Many risks can cause supply chain disruption, and those threats can have severe consequences for your business. Some of the more common risks are:

Cybersecurity Risks

Hackers can enter your supply chain and then move throughout your firm. Cybersecurity breaches can also wreak havoc on your day-to-day operations. So information security should be at the forefront of your mind when considering new vendors.

Compliance Risks

You’ll need to make sure your vendor can meet any regulatory compliance requirements your company has, which will subsequently affect your supply chain. For example, suppose a vendor bribes foreign government officials on your behalf. In that case, your company will be charged with violating the U.S. Foreign Corrupt Practices Act and all the legal ramifications that it entails.

Financial Risks

When collaborating with other companies, the risk of financial loss is always present. For example, if your contractor goes bankrupt or faces its own supply issues, this could have significant economic consequences for you and your organization.

Reputational Risks

Reputational risk is the most unpredictable type of risk because incidents that affect your reputation might happen out of nowhere. Damage to your contractors’ reputations can also harm yours, so consider reputational risk when choosing providers.

Cyber Supply Chain Principles and Supply Chain Risks

NIST identifies primary principles to consider for successful C-SCRM. These considerations are comprehensive and broadly apply to critical infrastructure, business processes, and intellectual property.

Understand the Security Risks Posed by Your Supply Chain

Examine the specific dangers that each supplier exposes you to, the products or services they provide, and the value chain as a whole.

Supply chain risks come in a variety of shapes and sizes. A supplier, for example, may not have enough security, may have a hostile insider, or its employees may not correctly handle your information. Gather sufficient information to better evaluate these security concerns, such as an insider data collection report or risk assessment.

Develop Your Organizational Defenses With “Assume Breach” in Mind

Assuming a breach means an organization approaches its cybersecurity posture by anticipating that its networks, systems, and applications are already compromised. Treating an internal network as if it’s as open as the internet readies the system for various threats and compromises.

Set Minimum Security Requirements for Your Suppliers

You should establish minimum security requirements and metrics for suppliers that are justified, proportionate, and achievable. Make sure that these standards reflect not only your evaluation of security risks but also the maturity of your suppliers’ security arrangements and their capacity to achieve the requirements you’ve set.

Minimum requirements should be documented and standardized to streamline enforcement. This technique will help you lower your effort and prevent giving these parties unnecessary work.

Cybersecurity is a People, Process, and Technology Problem

People, processes, and technology are the triad of solving problems. Supply chain management also focuses on these three areas to enhance supply chain performance, make it more secure, and do more with less.

Look at the Entire Landscape

There are multiple security standards that interact with each other in a variety of cybersecurity frameworks and best practices. A few examples are the NIST Cybersecurity Framework (CSF), Center for Internet Security (CIS) Controls, and the International Organization for Standardization (ISO) series.

To be efficient and flexible, your C-SCRM should follow the guidelines established by your third-party risk management program. That is especially important today, where outsourcing is common. Always remember that your C-SCRM program is only as good as the data security provided by your least secure third- or fourth-party supplier.

Encourage the Continuous Improvement of Security within Your Supply Chain

Encourage your vendors to keep improving their security measures, emphasizing how this will help them compete for and win future contracts with you.

Advise and support your suppliers as they seek to make these improvements. Allow your suppliers time to achieve improvements but require them to provide you with timelines and project plans.

Listen to and act on any issues arising from performance monitoring, incidents, or bottom-up supplier reports that imply current approaches aren’t functioning as well as they should.

Best Practices for Cyber Supply Chain Risk Management

An organization can employ a variety of best practices in its C-SCRM program. Best practices improve the ability to identify and mitigate potential risks over time. In addition, these practices include remediation steps to apply if you experience a data breach.

Here is a list of some of the best practices to keep in mind as you set to work on your cyber supply chain risk management program:

  • Security requirements need to be defined in requests for proposals (RFP). In addition, use security questionnaires to hone in on the current standards practiced by each bidder.

  • An organization’s security team must assess all vendors, and you must remediate vulnerabilities before sharing information, data, or goods and services with them.

  • Engineers must use secure software development programs and keep up-to-date on training.

  • Software updates need to be available to patch systems for vulnerabilities, and they must be downloaded and installed in real time.

  • Dedicated staff that is assigned to ongoing supply chain cybersecurity activities.

  • Implement and enforce tight access controls to service vendors.

The new NIST guidance reflects the increased attention companies are paying to manage cyber supply chain risks. It is a useful resource for enterprises of all sizes, though some of the recommendations may be too burdensome or complex for smaller organizations to reasonably adopt. Small businesses may lack the sufficient purchasing power to require their suppliers to complete certifications or participate in contingency planning, as NIST suggests, and may not have the resources to create internal councils and intricate review procedures.