It's tempting to imagine your supply chain as one unbroken line where each link is directly fastened to the next, making it easy to uncover weak spots or add new processes. In truth, this chain more closely resembles a tangled web with lines and links that branch out, interconnect and then split. The recent Target breach, for example, began with stolen credentials from a third-party HVAC vendor, and in a market where suppliers and partners may be half a world away, IT operations professionals face the immediate task of developing a new paradigm for supply chain security.
Let's take a look at what happens when breaches go global, plus best practices for handling the threat.
A recent article in Forbes discusses partner networks — a major sticking point for the supply chain. In the piece, author Dave Lewis recalls a penetration test of the 300 partners connected to his business's network. In less than 15 minutes, the network had been breached via a third party using "$vendor" as both its default username and password. The test uncovered a sobering statistic: less than one-third of all the company's partner connections had any documentation concerning their access policy. Most of those with documentation, meanwhile, provided data that was incomplete at best.
With traditional supply soft spots locked down, the global sourcing of raw materials and labor has created a massive, though immature, digital supply chain. As a result, network connections are the new battlegrounds — and one weak link can spell disaster.
Rules and Regulations
Not all supply chain security threats come from outside. As noted by Supply Chain Digital, new legislation can prove costly if businesses don't have agile security measures in place. Why? Because legislation, like the Office of the Comptroller of the Currency (OCC) bulletin 2013-29, places the onus squarely on companies for managing the risk of any third-party interactions. For example, a financial institution is now expected to establish "risk management processes that are commensurate with the level of risk and complexity of its third-party relationships" — in other words, "arm's length" isn't a good enough reason for a security breach. In addition, rules around "conflict minerals" are being tightened, meaning companies need hard data to prove where materials like gold or titanium are sourced, and demonstrate that operations adhere to all local and international supply regulations. At best, poor compliance and visibility slows global supply chains to a crawl as regulatory headaches prevent the movement of raw goods. At worst, entire chains collapse under their own weight.
Beyond partner connections and evolving legislation lies the essential framework of any digital supply chain: software. On average, two-thirds of the software used by an enterprise comes from third parties, and of that software, CA Veracode's State of Software Security report shows that 62 percent fail basic security standards, and 90 percent fail to comply with the OWASP Top Ten. It gets worse: technology news site V3.co.uk notes that according to a study by security firm Secunia, 86 percent of security vulnerabilities reported in 2013 existed on third-party apps. The result is a simple trail for hackers to follow, especially when servers and networks aren't within reach. Think of these as correlated variables: greater distance requires improved supply chain security.
To manage the threat of global supply chain breaches, two best practices emerge. The first is developing a real-time, working knowledge of all third-party connections and applications linked to your enterprise. This is a daunting, yet necessary task — since compliance lawmakers are no longer willing to accept "arm's-length" arguments as valid defense, when violations occur, oversight due to ignorance or distance won't excuse them. Beyond knowledge is the second best practice: action. The sheer number of partner connections and third-party apps in use often makes such granular management impossible without the aid of an experienced vendor and a programmatic approach. You've seen it in other areas of IT compliance: ad-hoc, moment-of-crisis security solutions yield short-term results but can't deliver protection for an entire network. This is especially true at the global supply chain level, where the massive warren of resources, parts and manufacturing interconnections lead IT down the rabbit hole, desperately trying to solve one problem, even as three others emerge.
Global supply chain security requires forethought, total network visibility and the benefit of a "monster in your corner" — that is, a provider able to assess and remediate poor access policies or badly written code entirely from the cloud. Bottom line? The supply chain is changing, and security can't stagnate.
Photo Source: Bigstock