Security training in the supply chain

Cyber security series – Part 1

In an increasingly interconnected global economy, American companies must recognize the critical importance of protecting their data and knowledge. The supply chain is a vital component of our economic infrastructure, and its security directly impacts our national security, economic stability, and competitive edge. Everyone must take responsibility and do their part. In part 1 of this serial about cyber security you will find a high-level overview of why it is important to protect yourself and, in turn, protect the entire chain.

This topic was first addressed in a lecture, presented by The Vision Council.

The Vision Council came to me to create this cybersecurity series as a result of increasing requests from their members and a very direct call out by the United States Trade Representative (USTR) in their “Four Year Review of China Tech Transfer Section 301,” released in May of this year. 

Specifically, in the report, the USTR stated: “U.S. companies should prioritize cyber defenses, invest in the necessary infrastructure and services, and take appropriate actions to remediate vulnerabilities and prioritize strengthening cyber defenses. Greater transparency by U.S. companies on the extent, type, and investment in cyber defense would permit market investors to support U.S. companies taking appropriate steps to protect their technology, IP, trade secrets, and confidential business information from China’s cyber espionage.”

Essentially, the government is advising industry to work together and prioritize cyber security. The Vision Council’s Government Regulatory Affairs team flagged this immediately, and saw an opportunity to educate the vision industry on steps that they can take to protect their businesses and work together to fortify the industry.

A collective approach to business intelligence security

Pardon the cliché, but we are stronger together. Just as a chain is only as strong as its weakest link, the security of our supply chains depends on each company’s ability to protect their data. Working together ensures that vulnerabilities are addressed collectively, reducing the risk of breaches.

By collaborating, companies can share insights on emerging threats, effective security practices, and successful mitigation strategies.

A coordinated approach to security incidents allows for faster and more effective responses, minimizing the impact of breaches. The protection of all is therefore based on three pillars: 

1. Collective defense
2. Shared knowledge and best practices
3. Unified response to threats

Examples of technology incidents in the supply chain: Target

During the holiday season of 2013. Shoppers were filling Target stores while a significant data breach was unfolding behind the scenes. One that would impact millions and changed how we think about cybersecurity.

A small subcontractor named Fazio Mechanical Services handled refrigeration, heating, and air conditioning for Target. Unfortunately, their security defenses were not as strong as they needed to be. Hackers saw an opportunity and sent a phishing email to Fazio, tricking an employee into downloading malware.

This malware opened the door for the hackers to access Fazio’s network. But they did not stop there. They used the credentials they found to break into Target’s main network. Once inside, they placed more malware on Target’s point-of-sale systems − the very machines that read our credit and debit cards when we make purchases. For weeks, every card swiped at Target was silently recorded by the hackers.

The attackers were a group of skilled cybercriminals operating out of Eastern Europe, primarily from Russia and Ukraine. They were known for their expertise in exploiting weaknesses in large organizations and had carried out similar attacks before.

The breach was detected by FireEye, a security firm monitoring Target’s network. They saw the malware and sent alerts, but these warnings were not acted on quickly enough. It was not until the U.S. Department of Justice alerted Target that the company took significant steps to stop the breach.

The fallout was severe. Over 40 million credit and debit card numbers were stolen, along with personal information from 70 million customers. Target faced lawsuits, huge financial losses, and a tarnished reputation. They had to spend millions on legal fees and security upgrades. This breach highlighted the importance of strong cybersecurity measures and the risks posed by third-party vendors.

Lessons learned

So, what can we learn from this?

Third-party risk management: It is crucial to ensure that any company you work with has strong security practices. Regular audits and strict security requirements for vendors can help prevent similar breaches.

Phishing awareness: The breach started with a simple phishing email. Educating employees about the dangers of phishing and how to spot suspicious emails is essential.

Prompt response to alerts: When security alerts are ignored or delayed, it gives hackers more time to cause damage. Having a robust incident response plan and acting on alerts promptly can limit the impact of breaches.

Network segmentation: By segmenting networks, companies can prevent attackers from moving freely within the system. This means even if one part is compromised, the rest remains secure.

Continuous monitoring and detection: Regularly updating security tools and ensuring they work effectively can help detect threats early. Continuous monitoring is key to staying ahead of cyber threats.

Vendor and supply chain risks

There are many risks to vendors and the supply chain when it comes to the security of our operations, data, devices, and business partners. Hardware, software, networks, data or service providers are all potential entry gates for hackers. Talking about hardware, servers, A/Cs, appliances or machines for example can become a target. Regarding software, those responsible should be able to answer the following questions: Who own’s it? Who own’s the data? Who is protecting it? Who has access? The network can be hosted in-house, by third-parties or the data is stored on the cloud. In the last case be aware that everything is everywhere all at once. These risks can generally be categorized at a high level as follows:

Compromised devices: For example, copiers can be hacked.

Cloud solutions: Services like Office 365, Dropbox, and other solutions you might not even realize are within your reach can pose risks.

Incident investigation: I often encounter security scares with clients, and my first job is to determine whether the issue is on our end or the vendor’s. This is why someone in the organization must vet all companies you do business with, as those not in IT might not ask all the necessary questions regarding IT security.

Vendor engagement: It is challenging when, every other day, I hear, “Oh, I am talking to this salesperson about software we may buy.” You do not know how much we just love to hear those words on the security side of things.

Practical IT steps for securing the supply chain

With a few important but effective steps, the vast majority of attacks can be avoided. The following rules provide clarity and offer a simple guideline that every company can follow.

1. Conduct regular security audits
Regularly assess the security posture of your systems and those of your supply chain partners. Periodically hire independent auditors. 

2. Implement Multi-Factor Authentication (MFA)
Enhance security by requiring multiple forms of verification before granting access to your systems. Let a risk registry highlight your weak points

3. Use end-to-end encryption
Protect data in transit and at rest with robust encryption methods.

4. Monitor network traffic
Employ advanced monitoring tools to detect unusual activity and potential breaches in real-time. Advanced threat detection.

5. Patch management
Ensure all software and systems are up-to-date with the latest security patches to close known vulnerabilities.

6. Relationships
Manage them! Be picky!
Create or use existing third-party risk management cycle relationships with your employees!

Cybersecurity training for employees

At least once a year every company should conduct a security refresher for the entire team. Part 2 of The Vision Council serial of cyber security presentations can be implemented as a required training for your team, eliminating the need to organize or hire a separate company to conduct one.

And do not forget: your security is as strong as your weakest link and your weakest link tends to be coworkers. Ask yourself: how confident are you with your coworker’s security knowledge? Especially four aspects are crucial to make your team fit for cyber security:

Phishing Awareness: Train employees to recognize and report phishing attempts, which are common vectors for cyber-attacks.

Incident response training: Develop and drill incident response plans to ensure quick and effective action in the event of an incident.

Data handling & privacy: Educate staff on best practices for handling sensitive data and complying with data protection regulations

Third-party risks: Train employees to assess and manage risks associated with third-party vendors and partners.

If you do not have internal guidance, the government provides well-drawn-out guidelines on cybersecurity for businesses. These guidelines are widely adopted by government agencies and larger companies.

Here are some of the main ones if your IT team does not cover security: U.S. Cybersecurity and Infrastructure Security Agency (CISA), Information Sharing and Analysis Centers (ISACs), Professional Cybersecurity Organizations like ISACA and ISC2 and the National Institute of Standards and Technology (NIST). As of last month, NIST has released the ‘Risk Management Framework (RMF) Small Enterprise Quick Start Guide,’ which I highly recommend for small businesses seeking a comprehensive, flexible, risk-based approach to managing information security and privacy risk.

When choosing software or a third-party vendor, make sure to include the IT team so they can help assess IT risks. Here is a third-party risk management life cycle that you can screenshot. While it is not an official version, as those are more detailed, this is a good starting point.

Issues can arise when you do not manage this effectively. For example, employees might use services like Dropbox or bring in vendors to discuss software without IT assessing how it will integrate with existing systems. I have had instances where an employee created a Google Drive or Dropbox account, then left the company, and nobody could access the account because nobody had the password.

This also becomes a problem as you continue to move towards AI. AI quality depends on the data it receives, so the experience you get is influenced by the data you input. The more tools you have scattered across different platforms, the more you will need to integrate them with add-ons, increasing security vulnerabilities. Therefore, it is crucial to get a handle on it.

Outlook

This article should provide a good basis for raising awareness on good cyber security strategies and the importance of protecting your supply chain. In the second part of the series, I will focus on employees. The article will teach employees how to be more vigilant when working with computers and “all of the things”.

In part 3 of this article series, we will discuss essential policies and procedures, such as business continuity plans and backup plans, that you need to establish and review annually.