- Cyberattacks on the supply chain continue to increase as criminals, and state-sponsored hackers find vulnerable places.
- In April, Wipro, an outsourcing company for many American companies, had a trusted network hacked and used by attackers to launch cyberattacks against the company's customers.
- In May, Adobe's Magento e-commerce platform, with over 7,000 business applications, and other third-party services were hacked, stealing passwords and additional sensitive information from multiple companies, including Ticketmaster. In case you run your store on Magento, it is advisable to contact an experienced Magento development agency for risk analysis and threat protection.
- In the same May, a third-party contractor exposed sensitive credentials to Universal Music Group's internal servers, putting critical information stored on those servers at risk.
- In July, the UK Information Commissioner reported that British Airways moved about 500,000 customers' sensitive information to malicious websites after malware infections from its websites and apps, which accounted for 1.5% of net sales in 2017. A fine of $30 billion (266.3 billion won) was imposed.
- Almond Kagla, head of the Liberty Advisory Group, a Chicago-based consulting firm, said, "As hackers increasingly prefer to exploit the weak defenses of third-party suppliers and subcontractors, companies are at a disadvantage."
Find Supply Chain Security Champions
Security can maintain a higher level of protection than the greenfield if there is a champion in the management system responsible for supply chain decisions. This champion can be a board member, CEO, CIO, COO, or head of procurement. Rather than issuing security orders to cultivate champions, CISOs or security managers must develop trust with management and work with them.
Kagla pointed out that their decision-makers should trust champions and sit at the table with other executive stakeholders. He said that without internal political power, supply chain programs could be relegated to another cost center that cuts from risk mitigation efforts when most business units face traditional resource and budget shortages.
Check all vendors
The report explains that the foundation of a successful security program begins with asset management, vulnerability assessment, and configuration control. He pointed out that he cannot defend what he does not know, and if he knows that it exists, he should be able to detect when the state of danger changes.
Therefore, portfolio management is treated as equivalent to supply chain management. This means discovering all supply chain partners, from primary partners to expanded supplier networks, and regularly assessing vulnerabilities and detecting changes in exposure. But it will be hard work.
Apply multiple supply chain risk assessment approaches
The report warned that one risk assessment approach would not apply for companies of all sizes. He explained that a variety of skills, from quick discovery to detailed and in-depth assessments, may be required to support business requirements and monitor risk levels more continuously.
Automation could be another way to avoid slowing down your business. UK-based car-sharing company Gett tackled supply chain security by deploying an automated solution from Panorays, which sponsors the SANS report.
Extend dashboards and reporting to business units and IT managers
The report recommended using supply chain security processes and tools to provide non-security staff with visibility into the current risk status and include risk information in decision-making.
It also noted that security systems should be integrated into existing processes to assess suppliers and partners' financial or survival risk. If the system does not exist, the format or data of supply chain security reports should be as similar to those known to procurement, logistics, and business operations managers.
Units tend to be responsible for managing outsourcing service providers on their behalf. Individual business units have the highest dashboard accessibility. Valuable data on potential risky suppliers can be obtained, which also allows the business unit to strongly require the adoption of specific technologies or management controls in ongoing business negotiations with those suppliers or renegotiation of specific SLA agreements.
Closing the loop with the vendor
The report explains that manufacturers have long learned that removing only poor quality suppliers is not the role of a successful quality control program. Manufacturers realized they had to close the loop. We recognized that all suppliers should provide feedback to encourage the adoption of higher quality processes.
This also applies to supply chain security programs. The report said that an effective supply chain security program should include feedback and evaluation of suppliers and visibility into evaluation results to address open issues and drive overall improvement.
0 comments:
Post a Comment