Supply chains are a vital component to every organisation’s business operations, and critical to business productivity and innovation through collaboration and the sharing of valuable information. However, this understandably leads to a lack of control over, and increased threat to, the confidentiality and integrity of information, increasing the chances of it becoming compromised.
Supplier ecosystems are becoming more fragmented, complex, and geographically dispersed, which ultimately leaves organisations vulnerable to security threats. The news that Visser Precision, which makes parts for Tesla and SpaceX (as well as defence contractors Boeing and Lockheed Martin), was hit by a data breach earlier in March should once again serve as a wake-up call to organisations about the risks associated with third party suppliers and contractors.
IT departments are under increasing pressure to support untrusted and unmanaged endpoints within their external partners to allow access to their internal systems and data. Every contractor or third party will have its own security framework, and take different measures to protect information against cyberattacks. Nevertheless, you cannot be certain that their level of security matches up to that of your organisation, neither can you be sure it addresses all the necessary compliance regulations – the risk cannot be outsourced, it is down to the organisation to manage.
There are of course, a number of ways to reduce your exposure to risk, and an important aspect of any effective supply chain risk management program is to acknowledge that it provides a means to build a more resilient business.
Organisations must take control of their data at all points on its journey through third party hands – and the controls applied must not impede the flow of information or ideas, or make processes impractical. They must be able to establish what information is being shared, how, whether the third party needs access to all of the information they are provided and the probability and impact of potential compromises.
Businesses need to consider the potential risk and consequences of a supplier accidentally breaching sensitive corporate, customer or employee data in order to balance information risk management efforts across the entire supply chain.
Security is only as strong as the weakest link
A data breach could be a result of any number of vulnerabilities, and there are many factors and weak links that could put sensitive information at risk of being compromised. This could be down to a lack of awareness of the value and sensitivity of information being shared with third parties, or a lack of visibility and controls as it is shared across the supply chain. It could be down to having too many contracts to manage, or simply a matter of basic human error.
Research from Apricorn has revealed that one of the biggest threats to security is third parties mishandling corporate information (23%) along with employees unintentionally putting data at risk (33%) and lost/misplaced devices containing sensitive corporate information (24%). The difficulty is that security is only as strong as the weakest link so organisations must establish where these weaknesses lie.
Conducting comprehensive and regular audits of all data that is shared with suppliers and partners can help identify any points at which data may not be sufficiently protected, in order to address these with tools, technologies, policies and processes.
Businesses need to asses where their security may be compromised posture by establishing:
- What data is shared with suppliers, and for what purpose?
- How their suppliers store and process it.
- Where it resides – for example, is it stored in the cloud at any point?
- Who has access to it, and why.
- What security controls are placed on it?
- Where it flows downstream – do they share it in turn with sub-contractors or other third parties?
Playing by the rules
Organisations that are not in complete control of their data throughout its journey risk hefty fines and reputational damage resulting from data breaches and non-compliance with strict regulations, such as the General Data Protection Regulation (GDPR).
GDPR legislates for uniform and comprehensive controls that protect the personal data of EU citizens. Suppliers should be contractually obliged to be able to pinpoint all personal identifiable information (PII) that belongs to your organisation, and document where it resides and how it’s stored, retrieved and deleted.
They should provide evidence that they are limiting the data they hold – deleting everything that is not required for operations – as well as who is authorised to access it. Organisations should have the visibility to identify any areas of non-compliance, and demand that these are addressed immediately.
Employees are often unaware of their specific role in preventing data breaches or loss, and as a result they can unintentionally put it at risk. In fact, Apricorn’s recent survey also found that more than 44 percent of surveyed IT decision makers agreed that over the last year, their organisation’s mobile/remote workers alone, have knowingly put corporate data at risk of a breach.
Businesses should have standardised staff security training programmes in place, and extend them to partner and contractor teams. This will ensure that every business in the supply chain is aware of its duty of care in protecting the data they handle on behalf of an organisation. Alongside ensuring that all third parties follow the same best practice, this will increase supplier engagement.
Programmes should educate users in understanding the specific risks and threats to the data, their responsibilities in protecting it, the policies and procedures they must follow, and how to apply any tools provided to them.
Securing all endpoints
The encryption of data should be a key element of any security strategy as this will render information unintelligible if it does fall into the wrong hands – balancing security with availability. Strengthening endpoint controls allows organisations to trust in the integrity of their data and systems wherever it is being accessed and on whatever device they’re using.
Encryption is specifically recommended by Article 32 of the GDPR as a means to protect personal data. The framework also states that any organisation that has implemented encryption is exempt from having to contact each individual affected in the event of a breach, thereby to avoiding the resulting administrative costs.
Businesses should review the policies and procedures that set out how different types of data must be handled and controlled, amending existing policies and introducing new ones as necessary. They should consider the corporate-approved tools and technologies that must be used, and when they should be updated – for example, the rules for the length and complexity of passwords or even the requirement for auto-lock/self-destruct functions on lost or stolen devices.
These policies should be shared with all partners and contractors, and enforced in third party contracts. Businesses should also consider applying penalties for failures to meet these or risk the repercussions of fines and financial losses that they could face as a direct result of a data breach.
Whilst supply chains are difficult to secure, a weak link in that chain can have as much impact on your organisation, as a breach from within. If businesses can implement the necessary policies and processes at an early stage, it will ensure they can react appropriately and efficiently if, and when, a breach should occur.