Three Ways to Mitigate Insider Risk in Your Supply Chain
“Insider threat” has long been a familiar security topic for C-suite executives in every industry. In fact, 90% of organizations feel vulnerable to insider attacks, according to IBM. Yet, when creating risk mitigation programs for insider threats, many organizations overlook their nonemployees—the people who work for their third-party vendors, partners, and contractors.
Companies often give these people the same level of "insider" access to facilities, systems, and even sensitive data as full-time employees, but with far fewer safeguards in place.
This is particularly relevant to organizations in the logistics sector, as third parties are present along every stage of the supply chain process. A series of coordinated third parties often manages product shipments from port arrival to dock unloads to intermodal shipment transfers.
While organizations have well-defined processes in place to evaluate third-party companies, most have no process to understand the risk associated with the individuals who work for them. In the worst scenarios, many of these organizations have no centralized view of how many third-party individuals have access to their facilities, systems, or data, or what access they have.
This complexity, added to the rapid digitization that has been the hallmark of Industry 4.0, creates a perfect storm for increased exposure to insider threats.
Keep Insiders Out
To eliminate insider threats from third parties in your supply chain, follow these steps:
Know your insiders. Logistics organizations have systems full of sensitive information, ranging from personally identifiable information for employees (including salaries and social security numbers) to lists of current customers and their financial details, to confidential proprietary information and trade secrets.
Many third-party users are provided with access to these systems as part of their roles, but according to a 2018 Ponemon Institute supply chain study, most organizations don’t know their exact number of third-party users and only one-third of organizations had a list of all third parties they share sensitive information with.
Audit those with access. While some third-party users will need access to sensitive data to do their jobs, many can fulfill their job requirements with minimal access levels. Organizations should conduct regular comprehensive user audits to ensure that users have access based on the least privilege, meaning the appropriate privileges for the appropriate resources at that specific point in time.
Users often are overprovisioned during the onboarding process as credentials are applied based only on previous user needs. Access is often added in increments to accommodate new role assignments, but is almost never decremental, leaving users with access that should have been revoked long ago. It is also important to search for orphaned accounts resulting from the termination of employees.
To ensure top security, it is imperative that your organization has a list of every person, service account, and Internet of Things device with access to internal systems, and thus, sensitive information.