Defending Against Supply Chain Hackers
While your company may have excellent cyber security practices in place, your suppliers may not. These best practices will help protect your company from hackers who attack your supply chain partners.
1. Review Incident Response Plans. Always make sure vendors have an incident response plan in place before conducting business with them. If there is a data breach on their end, you do not want to find out the hard way. Make sure their response plan includes a communication strategy and mitigation controls.
2. Test Vendors’ Cyber Security Understanding. Test how well management understands the importance of strong cyber security. Vendors who demonstrate knowledge and application of effective cyber security practices are much less likely to be the cause of a security incident.
3. Conduct Vendor Risk Assessments. Perform due diligence on every vendor you work with. Conduct bi-annual or annual reviews. These security assessments will help you identify what controls are necessary to prevent you from being impacted by a data breach on their end.
4. Coordinate With The Procurement Director. There is a difference between telling procurement directors to consider cyber security and working with them to make it happen. Every director and executive needs to be on the same page when it comes to cyber security. Procurement needs to work with other departments to ensure there are no gaps in understanding or implementation.
5. Integrate Security Into Company Risk Assessments . Your supply chain risk assessments should include security as well. Review and improve your security and risk reports regularly.
6. Review Your Insider Threat Program. Companies in your supply chain are considered insiders with privileged access to data. Have an internal program in place to manage and mitigate insider threats in your organization.
7. Establish Data Steward Requirements. This applies to both your company and your vendors. Implement some sort of data ownership or stewardship. If data issues arise, ensure there is a liaison in place to help your company and your vendor communicate more effectively. Make certain both parties understand what proper use of responsible data means.
8. Embed Security Standards in Contracts. One of the most effective ways to improve cyber security in your supply chain is to make upholding a standard contractual obligation. It is best to use a cyber security framework such as NIST Cyber Framework to achieve a shared understanding of standards and expectations.
9. Monitor and Review Vendor Access Logs. You may not have direct control of vendors, but you do have control over what they can access and when. Regularly review your logs to identify normal behavior or any discrepancies. Some technologies can help automate and enhance this task.
10. Use Proactive Technologies. Technologies such as behavioral analytics and data loss prevention work well together to identify risky users and active threats. Behavioral analytics establish a baseline user and network behavior, and then track deviations from that behavior. Data loss prevention works to stop any leaks throughout a network.
Source: Isaac Kohen, founder and chief technology officer, Teramind