NIST: Supply Chain Best Practices in Cybersecurity

By Elise Leise
In an age of high-profile ransomware attacks, it helps to arm yourself with knowledge

After the massive Fourth of July cyberattack on Kaseya, security is likely on your mind. Hackers demanded US$70mn and up to 1,500 businesses faced the consequences. Any day now, you might be face-to-face with company executives wondering how you’re going to mitigate this type of risk. According to NIST, cybersecurity attacks can affect your relationships with vendors, disrupt your global supply chain, and derail your software. So what’s a procurement professional to do about it? 

Be Realistic

Keep in mind: you can’t be prepared for everything. Hackers consistently upgrade their practices as our security technology improves. This leads to what we call ‘zero day’, or previously unknown, methods of attack. Kaseya, for instance, was taken by surprise, only able to confirm that the breach wasn’t phishing. As company CEO Fred Voccola explained: ‘The level of sophistication here was extraordinary’. 

Take Proactive Steps

Before you get to the point where you’re paying millions of dollars in Bitcoin, mind the risks. Your IT systems might use third-party suppliers that have access to your software codes, IP, and information systems. Your lower-tier suppliers may not use advanced security measures. You could purchase already compromised software, mistake counterfeit hardware for the real deal, or end up on the wrong side of a data aggregator hack. As Allan Liska, a Recorded Future cybersecurity analyst, said after the Kaseya attack: ‘This is a nightmare to manage’. 

Instead, NIST recommends asking targeted questions—much like a supplier assessment—to determine where your weaknesses lie. 

  • Is the vendor’s software / hardware design process documented? 
  • How does the vendor stay current on emerging vulnerabilities? 
  • What levels of malware protection and detection do you use? 
  • What physical security measures are in place? 
  • How do you protect and store customer data? 

Much like triaging a deadly infection—which poisonous malware is—Q&A’s with your IT team and company executives can help you determine the root cause of your security risks. If you don’t have much extra time, however, or you’re looking to upgrade your systems across the board, it helps to employ these basic best practices

  • Include security requirements in every RFP
  • Obtain source code for all purchased hardware
  • Address vendor cybersecurity gaps with a dedicated IT team
  • Inspect all component parts from outside vendors 

Plan Ahead

As JBS, Colonial Pipelines, and Kaseya make news by paying ransom to cybercriminals, you have to accept that the question isn’t if your system will be hacked, but when. This helps your team avoid positivity bias, or just flat-out denial. After all, once you change your premise that a breach is inevitable, it flips your mind to what steps you’ll take once the worst-case scenario occurs. Who will you contact first? How will you support potential clients or vendors? Will you pay a ransom? And for how much? 

Don’t be caught off guard. Inform yourself. 

Share

Featured Articles

GlobalWafers pauses US chips plant over Congress inaction

World’s third-largest semiconductor-wafer manufacturer GlobalWafers 'pauses plans for new US plant' until Congress makes $52bn available through CHIPS Act

Capgemini in cybersecurity warning on smart factories

Report from multinational consulting firm Capgemini shows Industry 4.0 tech is leaving smart factories open to cyberattack, & that action urgently needed

St Guys NHS Trust procurement head on health supply chains

Procurement & Supply Chain LIVE: The Risk & Resilience Conference welcomed Guy's & St Thomas NHS Trust Procurement Director David Lawson as a speaker

Global logistics round-up: air, sea, road and rail news

Logistics

Asia holds key to future success, McKinsey tells CEOs

Digital Supply Chain

Dynamic data key to unlocking supplier value - TealBook CEO

Procurement