Supply chain attacks are one of the fastest-growing cyber risks that organizations face in 2022, and when it comes to supply chain risk management, organizations in every industry should pay attention.
There have always been efforts to help organizations understand and mitigate risks related to supply chain, and recent initiatives, including the U.S.’s Executive Order on Improving the Nation’s Cybersecurity, have supply chain and infrastructure top of mind. While the vast majority of businesses and business leaders recognize that cybersecurity is a priority, the UK’s Department for Digital, Culture, Media and Sport (DCMS) has noted that actions are not keeping up with intentions, with nearly a third of companies admitting that they are not taking preventative action.
What is Supply Chain Risk Management?
Sometimes shortened to SCRM, supply chain risk management is the process of understanding and mitigating risk in an organization’s supply chain. The simple act of understanding your organization’s complete supply chain can be complex, especially when you consider the third-party vendors that your third-party vendors are connected to, and so on through the web of business connections.
Supply chain in a cybersecurity context does not refer to ships and trucks, but instead those digital connections that link organizations and their service providers.
What Puts Your Supply Chain at Risk? Three Major Factors
Digital supply chain risk has been a threat for years, but it’s becoming increasingly prevalent according to Gartner, which has raised it to be one of the top seven security risks in 2022. One of the major reasons being that one security breach can cascade through other organizations, as with Log4j.
Smart hackers tend to be very interested in supply chain attacks for three reasons:
- They know these systems control millions of dollars of payments and shipped goods.
- They know these systems open doors into core systems such as mainframes and customer databases.
- They know that systems that communicate with partners are often Internet-exposed.
Gartner has predicted that “45 percent of organizations worldwide will have experienced attacks on their software supply chains,” which is three times as many as occurred in 2021.
Hackers often prod supply chains for weaknesses, and the most common targets are unsecured connections and the unencrypted data that flows between companies. But limited understanding and control over data can also put an organization at risk. Gartner’s research proposes that organizations must be more proactive and deliberate about assessing their vendor and partner-based risks. This can include requesting evidence of best practices, policy adherence, and data-centric security strategies.
Related Reading: Developing a Plan for Data Risk Management
1. Unsecured Connections
Hackers exploit supply chains first by investigating links between organizations. These connections can act as an unlocked back door that leads directly to the valuable information of one – or both – companies. And that unlocked entry can cause a domino effect that puts other organizations at risk.
Recent incidents have used a single company to impact a broader swath of downstream customers. And that’s unlikely to stop. Commenting on a major attack in July of 2021, Tim Erlin, VP of Strategy at Tripwire, said “No one should be surprised when a successful attack methodology is repeated, but we should aim to make these types of supply chain attacks harder to execute and incrementally less successful.”
Related Reading: Understanding Cybersecurity Supply Chain Risk Management
2. Unencrypted Data
Data is the lifeblood of business – and also a main target of cybercriminals. That’s why data-centric security is increasingly front-of-mind. Data should be secured at rest – encrypted, restricted to only appropriate users – as well as in motion. File transfer and sharing is an essential part of day-to-day business, but it’s also when data is most at risk: it’s outside the organization’s secure walls and internal access restrictions. To protect against risks, there are steps that organizations can take to secure data at any step of its journey.
Related Reading: Three Data Centric Security Strategies for 2022
3. Limited Visibility and Control
According to a recent report, data visibility is the biggest cybersecurity weakness as reported by CISOs and CIOs. One of the first steps towards better data security is understanding the data on hand: what it contains, where it is stored, and how it is being used. From data intake to usage to archiving, every organization should have a plan for controlling data movement and access, as well as a way to gain a birds-eye-view of the data on hand.
How MFT Helps Supply Chain Risk Management
Many of the same principles that protect other IT infrastructure can be applied to supply-chain technology, including patching, use of secure protocols, use of strong credentials, and monitoring, including MFT.
Managed file transfer (MFT) is a secure file transfer solution that centralizes, secures, and automates data exchange. These software solutions are used to better control trading partner data exchanges.
MFT helps organizations:
- Centralize data flow for better visibility. It offers central control and brings credential management, user access privilege, and certificates into a centralized system. These features help to both understand the data on hand and connections to third-party organizations.
- Automate file transfers to reduce both manual transfer time and human error. Schedule recurring file transfers, ad-hoc sending, and more, with detailed notifications for both successful and failed transfers.
- Secure data exchange to meet internal and external requirements. Whether you’re beholden to industry or geographic compliance requirements, or need to adhere to company-set policies, MFT solutions can facilitate auditing, reporting, and restricting user access based on roles.
Related Reading: How DXLG Uses MFT and JAMS to Secure Data Movement
GoAnywhere MFT: A Key Data-Centric Security Layer
Discover how secure, streamlined managed file transfer can be a key element of your organization’s data security strategy.
