With the pandemic, a lot of companies have had to loosen some of the restrictions on remote work and that has unleashed havoc on many industries, particularly those that have a supply-chain of partners such as manufacturing. This is leading to an uptick in attacks. In fact, new research shows four in five firms have had a cybersecurity breach caused by a third-party vendor.
The findings, which studied several verticals including manufacturing, healthcare, utilities, and energy, among others, come from BlueVoyant. The company has three major business areas it operates in including: professional services, where it does incident response and consulting activities; a managed security service business where it defends companies from the inside; and threat intelligence efforts, which encompasses third-party cyber risk services.
Jim Penrose, chief operating officer, BlueVoyant, says, “I think everybody, including in the manufacturing area, needs to be kind of on guard for this and coming up with a plan to operationalize this program and make it less kind of periodic point in time, and when it’s much more continuous, on a day-to-day basis.”
The cybersecurity company found that organizations are experiencing different challenges when it comes to managing the security in the supply chain. Here are just a few of them:
- 29% of organizations say they have no way of knowing if cyber risk emerges in a third-party vendor.
- Less than 22.5% monitor their entire supply chain.
- The average headcount in internal and external cyber risk-management teams is 12.
Digging specifically into manufacturing, Penrose explains there are two different kinds of situations that occur in manufacturing. First the bad guy wants to gain access to the manufacturer so that they can steal critical data, intellectual property, and things that are being invented. He points to the example of Honda America and how its local operations have been shut down, due to ransomware activity.
The second is what happens with the supplier—it might just be that the parts stopped showing up for assembly. That is attributed to a supplier who’s had a disruption such as ransomware or something else in their IT infrastructure that makes them not capable of fulfilling the business requirements of their contract.
“So when I think of the situation I know it seems like a really big problem and it can be very daunting, but what we should do is just eat the elephant one bite at a time and work down the kind of prioritized list of the things that these threat actors are going to generally target.” he explains. “They’ve got endpoints they’re going to go after, right? If you think of, how do they feed the world? They might see the primary target, but they’re not going to have tunnel vision on the primary target. If they’re hard to get access to because they’ve got a good security team and they get all the vulnerability management and all those things, they’re going to turn their gaze to the companies to their right and left, the suppliers, right? And figure out, can they gain access to one of those trusted parties and then buy their way in?”
So what’s the solution? First of all, different industries have different needs, and thus a cyber risk-management program needs to be a mix of approaches. The research shows many organizations are evolving toward a data-driven strategy, with supplier risk data and analytics in use by 40%. However, static, point-in-time tactics such as on-site audits and supplier questionnaires remain common.
In my conversation with Penrose, he breaks it down further into two parts—private sector enterprise solution and government. Let’s turn to the first. Big companies have cyber risk-management programs and where they generally focus their efforts is on the tier-one suppliers, but he suggests you need to look at a larger group in your ecosystem of the suppliers and the vendors that you’re working with. He continues that larger companies are going to take care of themselves, but the smaller companies that only have one IT guy and maybe no security person, those are the ones to provide actionable information that lets them know about that Windows file sharing or that exposed data system that’s still out there even after all these years.
When looking to the government solution, he says, there might be some way to work with them to provide insight and actionable details to people that are in smaller organizations that have risks—it’s all a matter of priority, time, space, and money at the end of the day.
Further, he explains compliance activities are not going to be what solves this problem. It really does need to be operationalized, and you need to have a means and a mechanism to engage with the suppliers to drive risk out.
“So ultimately operationalizing it, using the capabilities of the tech companies in America and cybersecurity companies in America to kind of be one that spearhead it, to show how to operationalize it, and expand the view beyond a small group of Tier One suppliers to a larger portion of the ecosystem,” he says. “That’s the secret sauce here that we have to apply to kind of improve ourselves, and then I think have America step forward and lead the way globally.”
Want to tweet about this article? Use hashtags #IoT #sustainability #AI #5G #cloud #edge #futureofwork #infrastructure #digitaltransformation #supplychain #cybersecurity #security