Is Supply Chain Software Risky Business?

Keynote speakers, thought leaders and industry publications show no signs of slowing when it comes to evangelizing the benefits of the supply chain’s digital transformation. With its promises to save you time and money, the market has exploded with offerings of cloud-based solutions, IoT devices and a legion of outsourced practitioners who can make all of your spend visibility and risk management dreams come true. But for all the benefits touted, what is often left out of the conversation is the topic of security, especially as it relates to third-party vendors.

The Path of Least Resistance

As hackers become cleverer in their approaches, they’ve moved from directly attacking large organizations to exploiting vulnerabilities and penetrating third-party cloud software, apps and IoT devices to implant malware directly into the software or steal login credentials. “The challenge with supply chains is that they are multifaceted and there are many places where a hacker can enter,” says Brandon Curry, Senior Vice President with NTT Communications. Curry, who is also a Certified Ethical Hacker, frequently reports on trends in cloud and supply chain software security. He notes that the top cost of a supply chain breach is legal and reputational costs, with software supply chain attacks costing an average $1.1 million per attack globally.

Compromised software is one of the primary causes of supply chain software breaches, and the damage isn’t limited to grabbing customer credit card numbers or personally identifiable information (PII). Hackers are also looking to steal intellectual property, mine your customer base, counterfeit your product and take over your market share.

>>Read more about disruptions to supply chains and procurement

Stan Riemer, a Regional Vice President with NTT Communications and a security consultant, adds that software isn’t the only security threat that organizations need to be vigilant about. “It’s not just cyber,” he warns. “If you don’t take into account the physical breach and virtual breach together, you’ll miss the target.” A physical breach could be a bad actor in your organization who installs malware for their own malicious purposes or on behalf of a rogue state. And the ubiquitous copier? It also houses a lot of sensitive data. “It’s about where and how your data resides in your building,” he says.

Things get even more thorny with applications and IoT devices managed by third-party vendors. “We’re seeing lots of cyber-attacks with smart buildings,” says Curry. With IoT collecting and controlling data on everything from thermostats to hand sanitizer dispensers, there are lots of access points for a patient and meticulous hacker to find entry. According to Reimer, it all starts with coding: “If you didn’t start with security in mind, then you’ll have a problem.” Indeed, companies like Home Depot and Target found this out the hard way when their systems were compromised by hackers gaining access to sensitive data via third-party vendors.

People, Process and Technology

So how can organizations maintain a balance between securing the business against cyber-attacks while ensuring agility and speed to market? Curry insists that there must be a risk-balance compromise. “If you’re working with companies that meet compliance requirements and maintain compliance then it allows agility because it establishes trust. But if the goal is to move faster, you must ask yourself: at what risk?”

Changing the organization’s culture and mindset toward security won’t happen overnight. And all too often for many companies, it happens only after a major breach has been publicized, resulting in millions of dollars lost that could have been saved through proper training and education. “Technology alone will not solve the problem,” says Reimer. “It’s a three-legged stool: people, process and technology.” A combination of the three can help bolster an organization’s security measures. For example, training your employees on how to recognize social engineering schemes, such as malicious links in emails, combined with an organization’s use of technology to flag suspicious emails will go a long way toward preventing a breach.

If your organization is limited on resources, Reimer suggests developing a questionnaire to send to suppliers and vendors to determine whether due diligence procedures are adequate, in addition to incorporating language into any contracts with third-party vendors and suppliers. But the bottom line is that you shouldn’t do business with companies that don’t have the same policies and procedures that you have or expect to have when it comes to security.

The digital transformation holds a lot of promise, especially when it comes to minimizing redundancies, improving visibility and modernizing the way business is conducted, but it’s not without risks. Protecting the organization isn’t just IT’s job; everyone in your organization has a role to play. Keeping your staff trained, informed and up-to-date on third-party risk management best practices can empower them to be better advocates for a more secure organization.