Did you know poor supply chain security is the cause of more than 50% of cybersecurity attacks. Remember the Target breach in late 2013, when millions of consumers had their credit card information stolen? That breach was initiated by a compromise of one of Target’s HVAC vendors. If you allow suppliers or vendors access to your IT system, or make interconnections between IT systems, you need to have a supply chain security plan in place, without cybersecurity management for you and your vendors your there will be supply chain cybersecurity threats. The confidentiality of your customer data and intellectual property depends on low risk interactions with your suppliers. For example, without a robust Interconnection Security Agreement (ISA), you have little control over how your suppliers or vendors handle your sensitive data once it hits their IT systems. Supply chain security is on the rise with 78% more supply chain cyber security threats and attacks in 2018.
Furthermore, if your organization is in a regulatory or compliance environment—industries such as government contracting, health care, financial services—supply chain security is a requirement. For instance, the DoD Federal Acquisition Regulation Supplement (DFARS) requires you as the prime vendor to manage your IT system interconnections and vendor maintenance activities. Here are a couple of examples of these requirements from the National Institutes of Standards and Technology (NIST) 800-171 standard:
Control 3.1.3[c]: designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified.
Control 3.7.2: provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
And for organizations certified to the ISO 27001 standard, the expectation for supply chain security is quite clear: there is a whole family of requirements, A.15 Supplier Relationships that dictate “Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented.” We can only expect supply chain security to come under more and more scrutiny as this threat source gains notoriety from continued system and data breaches.
Totem Tech can help you manage the supply chain cybersecurity threats your suppliers and vendors represent to your organization. Our Totem Cybersecurity Planning Tool—which comes packaged with the NIST 800-171 and HIPAA cybersecurity requirements as a baseline—can be used to manage your supply chain security and compliance of as many sub-organizations as you desire. You can then require, as part of doing business with your organization, that your suppliers and vendors provide visibility into their cybersecurity processes through Totem’s Cybersecurity Planning Tool. If they don’t, for instance, employ strong authentication of users of their IT system, you’ll know that risk exists and can with them on a mitigation strategy.
Totem Tech can also perform inspection and validation of your suppliers and vendors for increased supply chain security. We’ll investigate that they are who they say they are, and that their products and services are what they say they are. We’ll make sure they aren’t headquartered in foreign countries hostile to the US. We’ll inspect software for bugs and vulnerabilities. We’ll make sure they aren’t passing your intellectual property off to your competitors—whether intentionally or not. This will help reduce supply chain cybersecurity threats. It’s also crucial to understand the money chain, so we’ll determine where revenue goes to ensure they aren’t affiliated with organized crime or terrorists’ groups.
Give us a call to see how we can help you with your supply chain security risk management activities today.