3 strategies to secure the supply chain, the weak link in security
Recent cyberattacks against SolarWinds and other vendors of widely used technologies show how far foreign nation states and other hackers are willing to go to achieve malicious goals. By targeting private sector organizations within the technology supply chain, malicious actors have made the security posture of government organizations more vulnerable.
Malicious actors can carry out these attacks in part because our current and unprecedented environment has continuously expanded the threat landscape. Today, no vendor or agency is immune and, just as importantly, no single organization can stand alone against all of these threats independently. There must be collaboration among industry players, as well as between industry and the public sector, if we hope to establish a security posture capable of combating these supply chain threats.
That said, we are at a point where we need to step back and assess our collective security postures from scratch to secure the entire supply chain. There are three overarching strategies that the public and private sectors can use to dramatically improve security and more effectively secure the supply chain:
- Create a zero-trust environment.
- Perform tests in real conditions.
- Identify, secure and form partnerships within the supply chain.
How can agencies and entrepreneurs implement these strategies? Let’s take a closer look.
Right now, the primary attack vector is exploiting trust: the human trust between supply chain partners, the trust we have between our applications, and the trust we have inside our networks. . The goal is to move from implicit trust, which far too many organizations currently have, to zero trust.
Start by thinking about how to ensure that users, devices, networks, and applications apply zero-trust or least-privileged access principles. Consider implementing a Secure by Design approach by taking a 360-degree perspective, looking at the whole environment instead of focusing on one-off issues, which too often lead to one-off solutions.
In fact, when creating a Secure by Design strategy, start by thinking of zero trust as a mindset – or set of principles – followed by tools and practices. A longer term and more comprehensive approach will be much more effective.
Tests in real conditions
With a zero trust plan in place, the second objective is to risk test your organization. Knowing the absolute, unvarnished truth about your risk profile is essential.
It’s far too easy to assume you’re less at risk than you actually are. You have met compliance requirements, you have technologies and processes in place, you have an enterprise-wide dashboard; few or none of these things are risk informants. This is what the tests support.
Can someone break into your network and gain access to an industrial control system? Find out by testing. Take the test, study the results and adapt accordingly. After? Keep testing and keep adapting. Most organizations have strong security products in place to defend their environment, but it is imperative to continue to tweak processes, update procedures and ensure the software in place is used to its fullest. capacity. It is essential to continually test the environment to be sure that you are making progress.
Without testing, you are working in a vacuum.
Identify and secure the supply chain
Finally, and most importantly for this discussion, know your supply chain. With whom does your organization have contracts? Who do you pay to help you with day-to-day operations?
Especially for large organizations, this can be an extremely complex proposition. There will be primary providers – who charge you for the services – and secondary and tertiary providers. There will also be upstream and downstream suppliers, making it essential to research and discover each organization you do business with.
Once you’ve created a list of vendors, the next step is to prioritize them. Which providers have a direct impact on users or customers? What products do they support? What business processes do they support? How important are they to your mission or bottom line? Ask yourself if you have “concentration risks”: does part of your supply chain depend on one or two suppliers? It can be a risk factor.
Once the partners are prioritized, think about how your organization wants to work with each of them. Do you want contractual agreements with each partner? Contracts can help set and manage expectations, help your organization understand the risk profile of your partners and, just as important, define your organization’s security requirements.
The thing to remember when it comes to supply chain security is that it is permanent; it will be a continuous process of iteration, improvement and evolution. You’re never going to be “done”, and that’s OK. Embrace the journey; your organization will reap the benefits.
Brandon Shopp is group vice president of product strategy for SolarWinds.