A little over 50 years ago, on July 20, 1969, humans first landed on the moon. Among the many amazing feats involved, it took just over eight years from the time President John F. Kennedy issued his famous challenge for the American space program to Neil Armstrong coming down the ladder with a small step and a giant leap. Critical to that success was a strong supply chain that could stand up to global scrutiny and extreme time pressure. Today, you can apply the same attitude to supply chain cybersecurity.

And, you can manage supply chain disruptions by putting supply chain cybersecurity best practices in place. But, planning ahead is key. And, working ahead to find out who are company decision-makers and how to get approval up the chain saves precious time and helps you remain calm under pressure.

How to Cut Down on Cybersecurity Supply Chain Risks

Whether your supply chain is directly targeted or a link in your chain is the target, the impact is usually the same. In both cases, resisting the attack is your shared goal. So, taking these prudent steps will give you confidence that your supply chain cybersecurity is solid, and you’ll know how to recover from a hit to one or more critical suppliers. 

1. Select Vendors With Care

The first step is selection and inventory. Inserting the supply chain cybersecurity function into the vendor selection process provides value in two ways. First, the security team can help surface critical issues as selection criteria. Second, the security team is aware of that vendor’s role from the beginning of the partnership. You need to extend the same awareness to your existing vendors. Therefore, building an inventory of your current vendors completes this essential first step.

2. Assess Your Own Readiness

Equipped with your inventory, it’s time to move on to assessment. In this step, apply the same cyber resilience criteria you use to evaluate your own readiness to evaluate your critical vendors’ readiness.

To do this well, or even to do this at all, requires establishing a collaborative relationship with your counterparts. Both groups need to establish mutual respect and leverage the strength of the business partnership. Don’t let your team be boxed into the ‘security cop’ role; build on the partnership that the business units should be fostering.

This partnership will help in the next step, too — remediation. The other reason you want to be a partner and not the security cop is that security cops are often relegated to conducting an assessment that mirrors a compliance framework or questionnaire. While these are essential tools, we all know being compliant does not mean being secure. Compliance on paper is only slightly effective in reducing the impact of supply chain cyber attacks. A true team effort will hopefully lead to frank discussions about strengths and weaknesses.

Ransomware, for instance, continues to run rampant. You can help suppliers emphasize encryption for private data crucial to your operation or might invest in a solid backup scheme. This will both improve their supply chain cybersecurity posture and blunt the impact of a ransomware attack.

Going further up the value chain with your supplier, you might need to help them with their software development life cycle (SDLC). You should know their SDLC is not vulnerable to known attacks targeting code sharing repositories, such as the Octopus Scanner malware. Octopus Scanner is open source supply chain malware that targets Apache NetBeans and infected multiple GitHub projects earlier this year.

3. Boost Cyber Resilience 

Having completed your assessment, the next step is remediation. In this step, it is vital to build on the frank discussions you had about strengths and weaknesses and use them to bolster security on both sides. Use the strengths of both organizations to shore up both sets of weaknesses. Don’t assume it’s a one-way street where you dictate a solution. This way, you increase cyber resilience. Together, you are stronger than each of you are alone. After all, that’s the premise for your companies working together in the first place.

4. Have a Run Book Handy

The fourth and final step is to create a run book for incident response. A run book is more than just a phone number to call when work with this supplier is disrupted. The best practice would be to run through tabletop exercises with examples of supply chain attacks and practice responding together. This way, both of your teams know what to do when real incidents occur.

Another approach, for the really deep partnerships, would be to red team each other. Fair warning, though, even if your contract with the supplier includes the right to perform vulnerability scanning or penetration testing, do not do this without defining the test parameters in advance. This could create a problem that could damage your partnership.

Now that you have done the hard work in your four-step supply chain cybersecurity process, stay calm. The incident response plan for your supply chain is ready.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today