Controlling Your Cyber Supply Chain

We don’t have “hall monitors” walking around our offices checking for fires. It’s something all persons of the organization have a watch out for (in large part, because of personal safety). Well, if your company goes bankrupt because all its IP has been stolen, I think that impacts your personal safety. So, start a program of being “security smart” within your organization.

Back in September, I wrote a piece that questioned whether or not you trust your network. As an extension to that piece, this piece focuses on your cyber supply chain.

Let’s begin with this simple premise: you may never fully know who is a part of your cyber supply chain. Why do I say that?  It is because it is exactly impossible for you to have a watchful eye on all parts of the supply chain. It would be a full time job for you. In my view, the only entity that could have full control of their cyber supply chain is a government (emphasis on could because even for a government full control of the cyber supply chain could be an incredibly difficult and expensive proposition).

If you accept that simple premise, then by extension, you will have no problem accepting this one as well: the probability of you being breached is greater than zero.

If you are with me so far, this is excellent. It means you have not bought a bag of magical beans from vendors or consultants who are already preaching to you that you are on the way to the cyber secure promised land.

My point is this: you don’t know what you don’t know, so when that is the case, ensure that you are taking some extra cautionary steps. And this is why I will reference a very handy tool from NIST that outlines some basic principles regarding the cyber supply chain. I won’t go through the entire tool but just focus on two areas: principles and key risks.

Principles

I’m not going to reinvent the wheel, so will therefore say the majority of what you need to know about cybersecurity is captured within these three principles:

1) Develop your defenses based on the principle that your systems will be breached.

2) Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem.

3) Security is Security.

I recommend viewing the tool, but here is my brief commentary on each point:

1) If you believe – even for a nanosecond – you have an impenetrable system (or let somebody convince you that one is possible) you may also believe that all is well in the world right now.  Caveat: even if we achieve some incredible technology, like Quantum Key Distribution (QKD) for communications, there will still be other threats, which is a perfect lead in to the next comment.

2) If you are not placing considerable emphasis on the human element, your cybersecurity strategy will always fail.  What has started as a hypothesis of mine has turned into a truism for me over the years: I am so certain of the human element issue that I am willing to personally guarantee your cybersecurity strategy will fail, 100% of the time, if you are not showing significant bias to solve the human element of the problem. Plenty more on this issue can be found in previous SDI posts and on LinkedIn.

3) If your cybersecurity strategy is independent of your security posture, you’re looking for trouble. This is why we say cybersecurity should be viewed through an organization risk management lens. This means if your IT department is not working with your security department and both are not working with all other departments in the organization, the question is not “when will I get breached” but rather “how badly will I be breached when it happens?”  Leadership at the top is crucial and absolutely necessary. The C-suite needs to adopt a risk management mentality and instill a culture of “security smart” within the organization.

You are probably wondering what I mean by “security smart” right now.  It’s simple: make sure everybody has a generally good idea of what the cyber risks are.  Don’t be paranoid.  Just get your staff to understand these threats are real and they can impact your organization and their jobs.  You do not see people freaking out that a fire may spontaneously erupt in the middle of your organization’s lobby, but people are trained enough to know that if they smell something burning or see some smoke, it’s best to warn others, quickly investigate, and if needed, pull a fire alarm or call 911.

We don’t have “hall monitors” walking around our offices checking for fires.  It’s something all persons of the organization have a watch out for (in large part, because of personal safety).  Well, if your company goes bankrupt because all its IP has been stolen, I think that impacts your personal safety.  So, start a program of being “security smart” within your organization (hint: SDI Cyber can help there).

Key Risks

The next section is all straight forward, again from the NIST tool.  All you need to know is that these risks exist and you should be thinking of ways on how to deal with them. These risks include:

  • Third party service providers or vendors – from janitorial services to software engineering with physical or virtual access to information systems, software code, or IP.
  • Poor information security practices by lower–tier suppliers.
  • Compromised software or hardware purchased from suppliers.
  • Software security vulnerabilities in supply chain management or supplier systems.
  • Counterfeit hardware or hardware with embedded malware.
  • Third party data storage or data aggregators.

It’s a bit of a raw deal, but yes, you have to worry about everybody else that’s part of your supply chain. And here’s the real kicker: you may have no control over what you can do except alter your supply chain, which could be an expensive proposition. This is where risk management comes into play: do you accept that risk (and the associated and potential costs) or do you do something about it?  That’s your decision, but it’s something you need to think about.  Otherwise, you’re just setting yourself up for a world of hurt that you may not be able to recover from.