4 Steps to Building Cyber-Resiliency
Cyber-exploitation through contractor networks is becoming more prevalent. Cyber-insecure suppliers and contractors provide covert backdoor access to more prominent corporations.
Fifty-six percent of organizations have experienced a cybersecurity breach caused by a third-party supplier, finds the Ponemon Institute. While companies aren't obliged to comply to specific data breach or legal regulations, the reputational damage resulting from an incident is significant. Further, an organization's customers are at increased risk from hackers seeking to exploit the breach.
The NotPetya ransomware cyberattacks in June 2017 prove companies of all sizes are at risk. The weak link in this cyberattack was a supply chain partner—resulting in 50,000 infected endpoint systems and hundreds of infiltrated servers and applications across 600 work sites in 130 countries.
Constant cybersecurity management for both the organization and its supply chain partners is critical. Here are four steps to building cyber-resiliency into supply chains.
1. Determine levels of security based on employee roles. Define reasonable levels of security for vendors, subcontractors, and supply chain partners first by identifying and categorizing contractors who either have direct access to the internal network or access to critical enterprise data. Separating vendors and contractors according to their functional role can help:
- Determine the type of information these partners have access to and how they are connected to the company's framework.
- Assign specific service level agreements for contractors.
- Enforce cybersecurity standards across the entire supplier ecosystem.
- Understand appropriate data-ownership, data-sharing protocol, and acceptable use of that data.
2. Conduct vendor risk assessment and prequalification. An organization can take every preventive measure to ensure its data and network are secure, but how can it confirm third-party partners do the same? Vendor risk assessment and prequalification allow companies to monitor their partners' security postures and confirm they uphold the cybersecurity obligations outlined in their contracts. Regular supplier audits pinpoint what cybersecurity monitoring and controls a partner might require.
Subcontractor and supplier risk management software offers supplier auditing services and objective supplier evaluation to provide an accurate view of vendor cybersecurity risks. This software can review supplier policies and procedures to ensure they are adequately codified, certified, and validated. Relevant indicators can tip off organizations to manage risk.
3. Monitor vendor access to network and data. Establishing limited network access for key vendors, contractors, and suppliers can further strengthen security posture. A consistent approach is necessary to control network access for vendors and contractors. Regularly monitor and audit access points to identify areas of weakness and ensure accurate mechanisms of access, management, security, monitoring and auditing are in place.
4. Train every employee. Employees are the last line of defense in cybersecurity and one of the most common threats. Create a culture of cyber-risk awareness to protect your organization and prevent threat events. Engage every employee, especially third-party vendors.
The first two steps in achieving cyber-resilience are drafting clear policies and training employees, contractors, vendors and suppliers. Make cybersecurity a priority for vendors by requiring training before work can start.
Companies need to fully understand the cyber-vulnerabilities within newly forged digital ecosystems, customize control measures, and collaborate with partners to mitigate these risks.