How organizations can better protect themselves against supply chain security threats

Running regular anti-malware scans and blocking malicious IP addresses are two strategies. But organizations need to do more to defend themselves against security risks from supply chain partners, according to (ISC)2.

How SMBs and startups can mitigate the impact of cyberattacks Mayer Brown cybersecurity and data privacy attorney Stephen Lilley explains why SMBs and startups are particularly vulnerable to cyber-attacks and data breaches.

You may secure your own business with all the tools and technologies at your disposal to defend against security threats. But what about your supply chain partners? A security breach or risk anywhere along the supply chain could damage your own company depending on the level of access the supply chain partner has to your data and business assets. Aside from safeguarding your own company's defenses, there are measures you can take to protect yourself against risks from the supply chain, according to a new report called Securing the Partner Ecosystem from (ISC)2.

In a survey conducted by (ISC)2 of 700 security professionals at small and large companies, 64% of the respondents say they outsource more than a quarter of their daily business tasks to third parties that require access to their business data. Those tasks include research and development, accounting, IT services, accounts payable, customer services, and advertising. As such, 96% of respondents do have contract provisions in place dictating how third parties can access, store, and send their data. Further, 95% have a process for vetting the cybersecurity defenses of small businesses before they grant them access to sensitive or proprietary information.

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)

One common supply chain belief is that small businesses serve as a conduit for cyberattacks on larger organizations. The assumption is that smaller companies don't have the talent, resources, or money to adequately shore up their defenses, and so an attack against a small business can filter through the supply chain to harm a larger partner organization. However, the survey poked a hole in that argument.

Though a full 50% of large enterprises see third party partners of any size as a cybersecurity risk, just 17% said they have been breached as the result of working with a larger partner, while only 14% said they have been hit by a breach due to working with a small business partner.

Of course, like any organization, small companies aren't immune to cyberattacks. Among the small business respondents surveyed, 40% said they have experienced at least one breach. Further, 33% of them admitted that an employee mishandled the credentials of a supply chain partner, while 41% have had to notify a larger client company to reset a password due to a security breach.

How equipped are companies to fend off cyberattacks that hit them through the supply chain? Some 44% of large enterprise respondents were very confident and 54% were confident about their ability to protect their own data in the event of a breach at a supply chain partner. However, that high confidence may be misguided, considering the level of access a small business has to the data of a larger partner. Some 34% of the large enterprise respondents admitted they were surprised by the broad level of access a third party provider had to their network and data. On the flip side, some 39% of small business respondents expressed the same surprise.

In some cases, a third party company can be of help to a larger company by alerting them to vulnerabilities in their security defenses. However, the response is often lacking. When warned of insecure data policies by a third party provider, 35% of enterprise respondents and 29% of small business respondents said that nothing improved as a result.

As another example of weak security, access to data often remains in place even when it's no longer needed. Some 55% of small business respondents said that they still had access to a client's network or data after the project or contract was completed. Such "orphan" accounts pose a risk as they could lead to data breaches.

How to protect your company from supply chain threats

What can companies, both large and small, do to protect themselves from threats along the supply chain? The survey showed that small businesses and enterprises employ similar strategies as seen in the top five security best practices:

Enterprises:

  1. Run regular automatic scans with antivirus and anti-malware programs.
  2. Block access to known malicious IP addresses through firewall configuration.
  3. Enact strong email filters to prevent phishing.
  4. Evaluate and report on security incidents when they occur.
  5. Determine acceptable threat levels and employ encryption for sensitive data.

The top five security practices for small business were similar to that of enterprises with two exceptions. The small businesses excluded the strategy of determining acceptable threat levels and employing encryption for sensitive data but included a task for scanning all incoming and outgoing emails to detect threats and filter executable files.

Further, large organizations need to be more diligent about improving their security practices, especially in reaction to issues discovered by supply chain partners. That includes revoking client access to networks and data when it's no longer needed, a process that usually requires just the removal of an account.

Organizations must also realize that preventing breaches and cyberattacks is the responsibility of all companies involved in supply chain interactions. Large enterprises should have the proper security defenses in place to protect themselves from all angles and areas of attack.

"This research highlights the fact that building a strong cybersecurity culture and subscribing to the right best practices can help organizations of any size maximize their security effectiveness," (ISC)2 COO Wesley Simpson said in a press release. "It's a good reminder that in any partner ecosystem, the responsibility for protecting systems and data needs to be a collaborative effort, and multiple fail safes should be deployed to maintain a vigilant and secure environment."

Also see

System Security Specialist Working at System Control Center. Room is Full of Screens Displaying Various Information.

Image: iStockphoto/gorodenkoff