Jarrett Kolthoff | December 6th, 2019

Business Journal Ask the Expert Column – December 2019

We’re a mid-sized, fast-growing company with serious concerns about our supply chain security after one of our competitors was breached. What steps do we need to take to effectively improve our security posture without alienating suppliers? 

Supply chain security represents a significant issue for many companies, not just yours. State sponsored threats and professional criminals are now targeting supply chain partners as an easy way to breach final targets. It’s an effective strategy because it allows those targeting you to find the path of least resistance even if your security is in order. Here are a few things you can do before the end of the year to reduce the risk of a breach in your supply chain affecting your company. 

1. Create a Master List of All Your Suppliers. To accurately understand your risk status and exposure, you first need to know every company with whom you partner, as well as their subcontractors and network of suppliers with direct connections to your organization. This seems like an obvious first step, but I would challenge you to go deeper into your supply chain and work with each business unit to find what their vendor list looks like as well.  

The SANS Institute’s Report put it best, stating that the foundation for any successful security program begins with asset management. You can’t secure the unknown, and that includes supply chain assets. Once you know who is aligned with your organization, you can begin to understand risk and determine when it changes. 

2. Rule of Least Privilege. If I could only give one tip for how to protect your data when it comes to your supply chain, it would be to follow the rule of least privilege. The rule of least privilege limits vendor access to only what they need to accomplish their job within the supply chain. The Target breach still gets brought up even years after their compromise due to the ability for someone to compromise their HVAC system and have domain level privilege within the environment. No company deserves the keys to your kingdom without proving their own security.  

50% of manufacturers report experiencing a breach over the last 12 months, 11% of which were severe, according to Sikich’s fifth Manufacturing and Distribution Survey, 2019. By following the rule of least privilege, it assumes your supply chain will have an incident, but will keep you from becoming a victim of their incident. Regardless of who in your supply chain gets compromised, if you have to reach out to your customers you are automatically the party at fault in their minds.  

For those partners who require high privilege, such as a managed service provider (MSP), make sure the correct checks and balances are in place to protect your company’s data. MSPs have been a leading source of compromise this quarter via remote toolsets used to push malware onto computers. Do not assume any vendor in your supply chain has perfect security standards. 

3. Set Security Standards. Hold your vendors to the same security standards that you do your own company. Requiring a SOC2 report, or a similar security compliance report, will give you reassurance your supply chain is pushing themselves to hold high security standards. This information must be relayed in the procurement process and not after a vendor has been onboarded. 

For example, for small suppliers with limited exposure to your innerworkings, a basic background check will usually suffice. Conversely, employees of larger, more involved and entrenched partners, with access to your IP, trade secrets, networks and/or systems, should be the subject of detailed financial and criminal background checks, interviews and screenings, and other security protocols, such as access monitoring. 

Planning is key to execution at this phase. Too many internal security teams simply move too slowly and interfere with the level of responsiveness required for ongoing business operations and are often excluded from the supply chain process. But given the sophistication of modern cybercriminals, security must be a part of supply chain management.

4. Know Your Data. You should plan your data the same way you plan your weekend. Hear me out on this one. When you schedule an oil change you wouldn’t tell the person on the phone everything you have planned that day. Don’t give out data to vendors that they don’t need to operate. If a vendor does not have a business need to have client addresses, then they should not have access to this information. 

While this does not keep a vendor from being compromised, it will put you in a much better position during an incident because they will only have certain data access. Additionally, it is critical for the list of data vendors in your supply chain to be maintained and updated with each procurement. 

5. Train for the Event. In today’s hyper-accelerated business environments, internal security can no longer carry the ball for everyone. As business units incorporate suppliers and vendors, they should be a part of the assessment process, rating financial and viability risk of the companies they want to use. One of the best ways to involve these other business units is through a tabletop exercise with the major stakeholders of the business.

Tabletop exercises immerse your team in real world scenarios against ethical security professionals posing as potential threats. By partnering with a team of cybersecurity professionals to conduct tabletop exercises, you can practice everything from how to uncover false data in vendor applications and backgrounds, to simulations of crisis management responses during business disruptions within your supply chain. This high-level practice is an invaluable risk management tool that will prepare your organization unlike anything else, should you fall victim to a cyberattack.

For more information about how to improve supply chain security, feel free to contact SpearTip or reach out to me personally. If you have a question that you’d like answered here in the Business Journal, email it to, [email protected]