Cyber supply chain risks can take many forms, ranging from vendors with physical or network access, compromised hardware or software from suppliers, third-party data aggregators, and much more. In fact, as the National Institute of Standards and Technology noted in a recent report, the risks are often more than just an IT problem alone.
To secure a supply chain and minimize the cyber risk or even eliminate it completely, there are several tips that could make a significant difference:
1. Restrict access unless absolutely necessary
Tight access controls are the foundation of a secure supply chain, and as a rule, it is important to ensure that suppliers and third-party vendors are restricted to the absolute minimum level of access that they will require. In most organisations, only a few suppliers will actually require access, and their numbers should be controlled and monitored.
It should be noted that access needs to be restricted both physically and digitally. For example, it is important to ensure that hardware suppliers do not have direct access to control systems, as it could increase the risk of a breach.
2. Make sure the Procurement Officer is present at cybersecurity meetings
All too often cybersecurity meetings include high-level management positions such as the CEO, CFO, CTO, HR, COO, CIO, and CMO – but not the Procurement Officer. That creates a gap between the meetings and the reality on the ground which can cause issues with implementation.
By making sure the Procurement Officer is present, the meetings will be able to identify and make policies to deal with the insider threats from suppliers.
3. Monitor suppliers to ensure compliance and identify potential risks
All suppliers must be monitored to ensure their compliance with security guidelines and access restrictions. The monitoring should be multi-tiered and encompass both physical checks as well as the use of monitoring software to track access to data and systems.
Ideally, the monitoring will be part of a comprehensive controls policy that all suppliers are required to agree to. It will outline all requirements the supplier must be in compliance with, including allowing monitoring software to track and report on any issues.
One of the ways that organizations can secure their supply chains more effectively is with WorkExaminer. It is a software that is designed to enable accountability and monitoring throughout an entire company.
The features in Work Examiner will allow any access to be monitored in real time by tracking user activity, recording screenshots, capturing keystrokes, and more. It can also implement controls that limit access to specific websites or applications on any workstation.
Simply put WorkExaminer will provide companies with the ability to identify potential risks based on user activity or behaviour. That will let them take action to mitigate those risks, either by auditing the supplier in question, monitoring them more closely, or restricting their access further.
In the event of a data breach, WorkExaminer’s logs and the data they contain could prove invaluable from a forensics standpoint. It will allow investigators to more easily identify the cause for the breach and determine whether or not it was a weakness in the cybersecurity of the supply chain.
Considering the risk that data breaches and compromised supply chains represent, the benefits of being able to track and monitor the access of all parties using WorkExaminer should be clear. Increasingly it is no longer merely optional but required by regulations such as HIPAA and other privacy and data protection legislation.
All said and done monitoring will be crucial if you want to eliminate cyber risk from your supply chain.