A little over 50 years ago, on July 20, 1969, humans first landed on the moon. Among the many amazing feats involved, it took just over eight years from the time President John F. Kennedy issued his famous challenge for the American space program to Neil Armstrong coming down the ladder with a small step and a giant leap. Critical to that success was a strong supply chain that could stand up to global scrutiny and extreme time pressure. Today, you can apply the same attitude to supply chain cybersecurity.

And, you can manage supply chain disruptions by putting supply chain cybersecurity best practices in place. But, planning ahead is key. And, working ahead to find out who are company decision-makers and how to get approval up the chain saves precious time and helps you remain calm under pressure.

How to Cut Down on Cybersecurity Supply Chain Risks

Whether your supply chain is directly targeted or a link in your chain is the target, the impact is usually the same. In both cases, resisting the attack is your shared goal. So, taking these prudent steps will give you confidence that your supply chain cybersecurity is solid, and you’ll know how to recover from a hit to one or more critical suppliers. 

1. Select Vendors With Care

The first step is selection and inventory. Inserting the supply chain cybersecurity function into the vendor selection process provides value in two ways. First, the security team can help surface critical issues as selection criteria. Second, the security team is aware of that vendor’s role from the beginning of the partnership. You need to extend the same awareness to your existing vendors. Therefore, building an inventory of your current vendors completes this essential first step.

2. Assess Your Own Readiness

Equipped with your inventory, it’s time to move on to assessment. In this step, apply the same cyber resilience criteria you use to evaluate your own readiness to evaluate your critical vendors’ readiness.

To do this well, or even to do this at all, requires establishing a collaborative relationship with your counterparts. Both groups need to establish mutual respect and leverage the strength of the business partnership. Don’t let your team be boxed into the ‘security cop’ role; build on the partnership that the business units should be fostering.

This partnership will help in the next step, too — remediation. The other reason you want to be a partner and not the security cop is that security cops are often relegated to conducting an assessment that mirrors a compliance framework or questionnaire. While these are essential tools, we all know being compliant does not mean being secure. Compliance on paper is only slightly effective in reducing the impact of supply chain cyber attacks. A true team effort will hopefully lead to frank discussions about strengths and weaknesses.

Ransomware, for instance, continues to run rampant. You can help suppliers emphasize encryption for private data crucial to your operation or might invest in a solid backup scheme. This will both improve their supply chain cybersecurity posture and blunt the impact of a ransomware attack.

Going further up the value chain with your supplier, you might need to help them with their software development life cycle (SDLC). You should know their SDLC is not vulnerable to known attacks targeting code sharing repositories, such as the Octopus Scanner malware. Octopus Scanner is open source supply chain malware that targets Apache NetBeans and infected multiple GitHub projects earlier this year.

3. Boost Cyber Resilience 

Having completed your assessment, the next step is remediation. In this step, it is vital to build on the frank discussions you had about strengths and weaknesses and use them to bolster security on both sides. Use the strengths of both organizations to shore up both sets of weaknesses. Don’t assume it’s a one-way street where you dictate a solution. This way, you increase cyber resilience. Together, you are stronger than each of you are alone. After all, that’s the premise for your companies working together in the first place.

4. Have a Run Book Handy

The fourth and final step is to create a run book for incident response. A run book is more than just a phone number to call when work with this supplier is disrupted. The best practice would be to run through tabletop exercises with examples of supply chain attacks and practice responding together. This way, both of your teams know what to do when real incidents occur.

Another approach, for the really deep partnerships, would be to red team each other. Fair warning, though, even if your contract with the supplier includes the right to perform vulnerability scanning or penetration testing, do not do this without defining the test parameters in advance. This could create a problem that could damage your partnership.

Now that you have done the hard work in your four-step supply chain cybersecurity process, stay calm. The incident response plan for your supply chain is ready.

More from Incident Response

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America.IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that X-Force…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…