NIST: Supply Chain Best Practices in Cybersecurity

After the massive Fourth of July cyberattack on Kaseya, security is likely on your mind. Hackers demanded US$70mn and up to 1,500 businesses faced the consequences. Any day now, you might be face-to-face with company executives wondering how you’re going to mitigate this type of risk. According to NIST, cybersecurity attacks can affect your relationships with vendors, disrupt your global supply chain, and derail your software. So what’s a procurement professional to do about it? 

Be Realistic

Keep in mind: you can’t be prepared for everything. Hackers consistently upgrade their practices as our security technology improves. This leads to what we call ‘zero day’, or previously unknown, methods of attack. Kaseya, for instance, was taken by surprise, only able to confirm that the breach wasn’t phishing. As company CEO Fred Voccola explained: ‘The level of sophistication here was extraordinary’. 

Take Proactive Steps

Before you get to the point where you’re paying millions of dollars in Bitcoin, mind the risks. Your IT systems might use third-party suppliers that have access to your software codes, IP, and information systems. Your lower-tier suppliers may not use advanced security measures. You could purchase already compromised software, mistake counterfeit hardware for the real deal, or end up on the wrong side of a data aggregator hack. As Allan Liska, a Recorded Future cybersecurity analyst, said after the Kaseya attack: ‘This is a nightmare to manage’. 

Instead, NIST recommends asking targeted questions—much like a supplier assessment—to determine where your weaknesses lie. 

• Is the vendor’s software / hardware design process documented? 
• How does the vendor stay current on emerging vulnerabilities? 
• What levels of malware protection and detection do you use? 
• What physical security measures are in place? 
• How do you protect and store customer data? 

Much like triaging a deadly infection—which poisonous malware is—Q&A’s with your IT team and company executives can help you determine the root cause of your security risks. If you don’t have much extra time, however, or you’re looking to upgrade your systems across the board, it helps to employ these basic best practices: 

• Include security requirements in every RFP
• Obtain source code for all purchased hardware
• Address vendor cybersecurity gaps with a dedicated IT team
• Inspect all component parts from outside vendors 

Plan Ahead

As JBS, Colonial Pipelines, and Kaseya make news by paying ransom to cybercriminals, you have to accept that the question isn’t if your system will be hacked, but when. This helps your team avoid positivity bias, or just flat-out denial. After all, once you change your premise that a breach is inevitable, it flips your mind to what steps you’ll take once the worst-case scenario occurs. Who will you contact first? How will you support potential clients or vendors? Will you pay a ransom? And for how much? 

Don’t be caught off guard. Inform yourself.