RunSafe Security exclusive: Cyber security in the supply chain
Stop me if you have heard this before: as companies increasingly rely on third-party software applications, many are losing control over their software supply chain. As globalisation continues to scale and geographic constraints loosen, a strong supply chain is all but necessary to compete in the worldwide marketplace. This in spite of the persistent challenges associated with identifying and understanding the security vulnerabilities inherent to third-party software development and adoption.
As supply chain attacks continue to escalate in frequency and sophistication, a very common misconception has taken hold among product managers - full control over the entire supply chain is the only way to minimise risk. As such, personnel in charge of product are going to extraordinary lengths to try and dictate price and requirements, leaving lucrative opportunities on the table for those that fail to conform.
With the supply chain’s importance increasing in proportion to the threat landscape, organisations and suppliers find themselves at a crossroads – do they acquiesce to the requirements of those seeking full control or do they abstain from the demands and forego the partnership?
The good news is that organisations do not need to have full control of the supply chain to protect it from cyberattack – whether they know it yet or not. By mapping out their supply chain, validating vendors, and reviewing security policies combined with technology implementation, organisations can close the gap on some vulnerabilities and prevent malware attacks from propagating without the burden and cost of trying to maintain full control.
Supply chain a common window for attacks
Up to 80 percent of security breaches now originate in the supply chain, according to a report by KPMG. In a common software supply chain attack, bad actors typically gain access to a software company’s distribution system and then insert malicious code in the legitimate software. When the customers update their versions, they are infected with the malware.
To reduce risk, most product managers seek a detection and reporting solution so an exploit targeting a specific vulnerability cannot disrupt their entire system. In industries where safety and critical compliance requirements exist (automotive, aviation or healthcare), security is often a function of the level of compliance. But, despite any efforts to comply, attackers can insert malware into a system via suppliers, keeping those within the chain exposed to memory-based attacks that bypass root of trust, encryption, and intrusion detection systems.
The Atlantic Council recently said in a brief that while software security vulnerabilities are a natural result of the development process and cannot be fully eliminated, they are increasingly passing through the supply chain. And in many instances, a single software component can now compromise the operational integrity of many critical systems and devices.
Unfortunately, many companies, especially small and medium-sized suppliers, lack full visibility into their supply chain nor do they have a process for assessing the cybersecurity of third-parties with which they share data or networks. This is a big problem when considering that so many flaws are unintentionally built into software components.
Nonetheless, managing the supply chain is now a critical function of optimising quality, cost and reliability. In fact, many companies use it to create strategic advantages, drive brand differentiation and improve efficiencies. While stronger brands may have more contained influence over their supply chain, companies are seeking to diversify sources so as not to be impacted by a single supplier or the demands of one brand over another.
To fear or not to fear lack of supply chain control – that is the question
For many organisations, just the thought of not having full control over their supply chain produces anxiety. After all, lack of control could mean that suppliers might not be required to meet standards, which could ultimately put organisations at a higher risk for several threats, including loss of intellectual property shared with supply chain partners and third-party access to IT networks, customer information or operational control systems.
Winston Churchill famously said that perfection is the enemy of progress, and his idea is apt for this discussion. The reality is that it’s virtually impossible to eliminate cyber risk throughout a supply chain – whether a company has complete control over it or not. Our increasingly interconnected technology products have a long journey from component manufacture to “shelf.” It’s hard to conceive of a tech product that is produced entirely in one location – as labour costs often dictate that materials circumnavigate the globe more than once. Further, any device that incorporates software, whether open source or custom, is touched by many different hands during the development process. Risk is baked in to the way organisations operate.
The first piece of good news for those weary of anything less than complete supply chain control is that executives in critical infrastructure industries in particular are starting to take a closer look at their supply chains, performing risk assessments, collecting threat analysis, conducting trials, and considering alternative security measures as part of a comprehensive strategy. This is important, as in today’s environment, one must assume that the supply chain has been compromised.
Mark Weatherford, Senior Vice President and Chief Cybersecurity Strategist at vArmour, said in a presentation there are several things companies can do to lessen their risks. Start by identifying and learning more about your vendors. Map out your supply chain and identify your sub-tier suppliers with critical IT components or software embedded in your products and systems. Clearly identify exactly what information or systems your vendors can access, then review their practices and integrate the CISO team in the process.
The next piece of positive news is that there is a new way to apply cybersecurity across the entire supply chain and eliminate the dependence on what each supplier individually is able or willing to do. Since security is increasingly a strategic differentiator, it is now an area for the company to invest in with an approach that works across all systems.
What product managers must understand is that supply chain risk will remain no matter their level of control, and that blind pursuit of full control will only hinder productivity and will eventually impact the bottom line. By staying focused on mapping out their supply chain, validating vendors, and reviewing security policies combined with technology implementation pre or post production, manufacturing and commerce can move forward without the fear of an imminent supply chain attack.
By Joe Saunders, CEO RunSafe Security RunSafe Security is the pioneer of a patented cyberhardening transformation process designed to disrupt attackers and protect vulnerable embedded systems and devices.
The Ultimate Procurement & Supply Chain Event
Global eProcurement leader JAGGAER has been announced as the latest sponsor for Procurement & Supply Chain Live.
Recognised as a Leader by Gartner in both Strategic Sourcing and Procure-To-Pay, JAGGAER’s direct and indirect eProcurement solutions help over 1850 customers, connecting to a network of 4 million+ suppliers in 70 countries.
From September 28th-30th, Procurement & Supply Chain Live gives you the opportunity to network with C-level executives, gain insight from industry pioneers and walk away with actionable insights that accelerate your career. By the end of the week, we promise you’ll have the skills to solve the world’s most pressing supply chain and procurement challenges.
Whether you attend virtually or in-person, you’ll strategise how to cope with global disruption, learn from industry pioneers - including newly announced speakers Chris Shanahan, VP Global Procurement/CPO at Thermo Fisher Scientific; Jim Townsend, Chief Procurement Officer at Walgreens Boots Alliance; and David Cho, CPO at University of Massachusetts - and walk away with tips, tactics, and tangible connections.
How to Attend
In a COVID-disrupted era, we know that the majority of people would rather avoid travelling for events─why take the risk, right? In response to the continued disruption, BizClik Media Group has decided that Procurement & Supply Chain LIVE will offer the best of both worlds through hybrid accessibility.
That means you and your peers can attend the event in person or virtually ─ with no disadvantages for people who choose not to make the trip to the Tobacco Dock venue.
Procurement & Supply Chain LIVE will be held at the Tobacco Dock in London, an industry-leading venue that is renowned for delivering world-class events. For attendees’ peace of mind, the venue is working to the government-endorsed AEV All Secure Framework, alongside mia’s AIM Secure and ‘Good to Go’ accreditation, they will ensure that we achieve a COVID-secure environment to facilitate all of your networking needs.
Our physical venue is both historic and stunning, but it has no bearing on the information that you and your peers can gain from the event. You can still absorb it all, interact with other attendees, and enjoy the conference experience on your alternative, virtual platform.
The platform will feature live feeds from all of the stages, as well as virtual networking areas. So, if you want to avoid travel, it’s not a problem! You can still get involved and enjoy the entire experience from the comfort of your own home.
New Speakers for Procurement & Supply Chain Live
VP Global Procurement/CPO at Thermo Fisher Scientific
Shanahan is Vice President, Global Procurement/CPO for Thermo Fisher Scientific in Waltham, MA. He joined the company to lead efforts in leveraging scale in the marketplace, develop capability and processes across the company, while transforming the supply base. He co-authored the Procurement Leaders Handbook, and holds a Master’s in Business Administration from Open University in the United Kingdom.
Chief Procurement Officer at Walgreens Boots Alliance
Townsend leads Walgreens procurement (Goods and Services Not For Resale). Prior to joining Walgreens Boots Alliance, he worked for Anglo American and General Electric also within commercial procurement. He has worked overseas extensively, in both manufacturing and retail environments. He holds an MBA in Strategic Procurement from the University of Birmingham, UK and a Bachelor’s Degree in Mechanical Engineering.
CPO at University of Massachusetts
Cho is Chief Procurement Officer for the University of Massachusetts, Unified Procurement Services Team (UPST), comprising strategic sourcing, contracts, supplier management, procurement operations, accounts payable, travel services, and customer service that provide quality service to the UMass system. Cho has 25-plus years of strategy and operations management consulting and industry experience. He was formerly Global Head of Sourcing and Vendor Management at BlackRock.
CLICK HERE to order now and make the most of our early-bird offer. Ticket prices increase over 50% soon!