In Securing Your Supply Chain, Don’t Forget To Lock The Back Door

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.mbtmag.com/articles/2013/11/securing-your-supply-chain-don
’t-forget-lock-back-door

Over time, business has gotten a lot smarter when it comes to protecting
enterprise technology from the hackers and viruses that are constantly
fighting to get in.

At the same time, though, we sometimes forget to account for a key
vulnerability in the security perimeter — the many data links maintained
with suppliers and service providers. The oversight is potentially serious.

After all, your company might take all the security precautions possible
with your own network. However, you can never account for the practices of
the dozens or hundreds of other companies your enterprise interacts with on
a daily basis through digital backdoors such as your e-procurement software.

And, don’t forget that all those vendors also do business with dozens or
hundreds of other businesses as well. It’s like that old shampoo
commercial: You tell two people, and they tell two people, and so on, and
so on. The point being that, in the digital world, you’re vulnerable to the
poor security habits of those around you.

Don’t Forget to Lock the Back Door

Up to half of all reported company data breaches slip in through unguarded
digital back doors. And as the number of third-party vendors you deal with
via procurement software goes up, your risk rises exponentially.

Lax procedures that fail to protect critical data leave businesses
vulnerable to attacks that threaten customers and damage brands. The threat
also can compromise operational processes, including your supply chain.

There are some obvious steps to guard against security threats coming
through the supply side of the operation. Most obvious, and basic, is the
use of up-to-date anti-virus software and monitoring systems on all data
connections and pathways between the business and its vendors, suppliers
and service providers.

But businesses can build another solid layer of protection by restricting
all digital communications and transactions between the business and its
third-party vendors to a secure, easy-to-monitor digital channel.

Here are some other steps companies can follow to avoid common pitfalls:

1. Analyze every nook and cranny in your supply chain for vulnerability.
Conduct a comprehensive analysis in which each node and component of the
supply chain is thoroughly examined. Most companies are well aware of this
already, but your supply chain management system should be part of your
overall cyber security assessment.
2. Communicate throughout your organization. Surveys have shown that
fragmented or one-off communication between your IT staff and supply chain
team can lead to trouble. Take steps to be sure your chief information
officer, chief risk officer and procurement officer are in tight contact.
3. Tap the government as a resource. While one company’s supply chain might
not be the government’s top priority, its focus on infrastructure from a
cyber risk perspective certainly dovetails with corporate interests. One
useful resource a program between the Department of Homeland Security’s
Office of Cyber Security & Communications and the National Institute of
Standards and Technology. They’re developing a voluntary set of cyber
security standards and best practices for critical infrastructure.
4. Ensure You Have the Visibility to Recover: In a recent study, 68 percent
of companies said they understood their cyber risks. Most of them said they
had programs in place to protect them. However, nearly two-thirds of
companies had a security incident in the past year. The lesson here: Try
though you might to avoid an attack, you could get hit anyway. The only
effective insurance is to maintain total organizational visibility and a
plan you can enact in a worst-case scenario. Make sure your supply chain
management solution gives you that visibility.

Today’s cloud-based solutions for digital vendor communications provide
total data management and communication transparency to both the business
buying the wholesale products or services and the vendors of those goods
and services.

They also dramatically reduce errors when compared with conventional phone-
or internet-based order/fulfillment channels, and they dramatically speed
up the invoicing and payment process.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.