A Lumberjack Story
On a sunny day amidst the forest, there were two lumberjacks cutting wood. One of the men worked really hard all day in the scorching heat. He would seldom take a break, and also reduced his lunchtime down to 20 minutes only. The other man took several breaks in the day and would spend 45 minutes for lunch. He also took a 15-minutes nap before going back to work after lunch.
The first man was extremely frustrated because, no matter how hard he worked, the other man’s pile of chopped wood was always more than his at the end of the day. “I don’t understand how you do it,” said the first man angrily one day. “Every time I look around, you are sitting down, and yet you cut more wood than I do. Why is that?” With a smile, the second man replied, “Did you notice that while I was sitting down, I was sharpening my axe?”
Sharpening One's Axe
Here’s another angle at “sharpening one’s axe.” Is your organization just reacting to issues after they have materialized?
ORIs your organization anticipating, mitigating, and improving risky scenarios? Certainly, in the world of networks, software, and digital assets one can only imagine the state of your data, secrets, and contracts against cyber-attacks and data breaches. This blog looks at one area within cybersecurity that many organizations forget to include in their risk assessments—their supply chains.
Managing the Key Supply Chain Risks
Cyber attacks create a weak link in the supply chains because organizations can’t always control the security measures taken by the supply chain partners. This can create opportunities for cybercriminals to attack an organization’s data and resources by first infiltrating a supply chain partner.
Because of the sensitivity of the data shared with the majority of supply chain partners, there is a heavy reliance on top-to-bottom collaboration/education of cyber-secure practices. This is where many organizations fall flat; allowing third-party actors to drag down their organizational management of cybersecurity risks.
Any weaknesses in supplier systems become weaknesses in the organization’s systems. Just think about the fact that each supplier probably has its own equally integrated and complex supply chain to manage as well, and you get a sense of the scale of the potential vulnerability.
The Key Supply Chain Risks are:
- Third party service providers or vendors — from janitorial services to software engineering — have physical or virtual access to information systems, software code, or Intellectual Property
- Poor information security practices by lower-tier suppliers
- Compromised software or hardware purchased from suppliers
- Software security vulnerabilities in supply chain management or supplier systems
- Counterfeit hardware or hardware with embedded malware
- Third party data storage or data aggregators
Time to think holistically about Supply Chain Cyber Attacks
Supply chain cyberattacks put organizations at significant risk — the risk that can disrupt their operations and damage their reputations. Inadequate cybersecurity practices by lower-tier suppliers introduce increasing risk to supply chain partners and monetary loss. Unpatched or poorly written software can introduce security vulnerabilities in the supply chain. Counterfeit hardware or software may contain embedded malware.
Thus, supply chain security requires a multifaceted approach. There is no one panacea, but organizations can protect their supply chain with a combination of layered defenses.
Some comprehensive steps throughout the supply chain to minimize the risk of external intervention like cybercrime are:
Indeed, in the modern world where cyber vulnerabilities will only increase as organizations use more and more digital components to the supply chain, a holistic approach to mitigating cybersecurity risk is not a nice-to-have, it’s a must-have as the attack surfaces increase by the day.