Supply Chain Risks and What to Do About Them
The rise in digital technology has been hugely beneficial for all kinds of businesses. It makes it easier for companies to build their own infrastructure on top of what other companies have already built, and can make organizations competitive in a fast-paced business world. But when you reply on networks and other companies’ systems, software, and services for operation, you leave yourself open to supply chain risks. These dangers are complex and constantly evolving, and they are a risk for even the most security-focused company.
See Top 5 Supply Chain Risks with Kevin Kumpf for a complete transcript of the Easy Prey podcast episode.
Kevin Kumpf is the Chief OT Strategist at Cyolo. He helps the company understand the people, process, and technology of their customers and build technology and platforms that meets their needs. He has over twenty years of IT security and compliance experience, including more than ten of those in cybersecurity and governance. In addition, he has worked in critical infrastructure like the energy, medical, manufacturing, and transportation industries. All of these are fields where cyber attacks and shutdowns could have huge, sometimes deadly consequences.
Kevin didn’t intend to end up in cybersecurity. He knew nothing about the field. But he wanted a change after owning his own organization for years. He was expecting it to be audit, compliance, and other Excel-heavy work. Instead, he ended up running IDS, IPS, and firewalls for a global bank. One thing that he thinks gives him an advantage is that he learned not by taking a certification class, but by trying things and seeing what worked and what didn’t. A key part of his current role is talking to customers and explaining that he’s been in their shoes before and now he’s here to help.
A Challenge of Speaking Up
Kevin spends a lot of time talking about cybersecurity issues, scams, and other risks and dangers online. One challenge of sticking your head up and being vocal about something is that sometimes it makes you a target. He’s had his credit card information stolen just like everyone else. Although these days, that type of financial fraud is extremely common. If you haven’t had your card information stolen at some point, consider yourself extremely lucky.
That’s not the only scam that has targeted Kevin, though. At one point someone forged his signature, went to his bank, and tried to put his house up for sale. He only found out about it because a Realtor showed up with a signed paper saying he wanted to sell. It most likely happened because Kevin had recently written an article about real estate and cybersecurity issues with the process. Someone decided to test if his mortgage company would fall for it, and they did. Sometimes when you stick your head up, you get hit; that doesn’t mean it’s not worth speaking up.
How the Supply Chain Works
When most people think of the supply chain, they think of shipping crates on boats moving physical products around the world. That’s one type of supply chain. But in the digital world, there’s also the digital supply chain. That’s a scenario where a company offers a service or makes a product, but they don’t create or manage 100% of the software and technological services they use themselves.
This is not necessarily a bad thing. If you run a plant that manufactures widgets, it makes much more sense for you to use an accounting software someone else developed or an order management software provided by a software company. After all, if you tried to develop all those software on your own, you’d never get around to actually manufacturing the widgets. Using these suppliers in your digital supply chain lets you focus on manufacturing widgets and leaves the order management software to the company that develops order management software.
Supply Chains Come With Supply Chain Risks
But having these other parties in your digital supply chain opens you up to supply chain risks. These risks happen when someone attacks a supplier who is “downstream” of you – either they provide a product or service you use or provide it to someone who provides something to you. Most people view supply chain risks as a third-party risk, but Kevin doesn’t like to call it that. That’s because the risks are often even further downstream.
Take your widget manufacturing plant that uses an order management software developed by another company. That company doesn’t make 100% of the software themselves, either. They probably use a cloud computing service. They likely use another company’s program or system to provide user management. It’s possible that they bought someone else’s software and built on top of it – and it’s just as possible that they didn’t make it at all, they are just an intermediary between the company that made it and your company.
Many … third parties aren’t even third parties. They say “I do this,” but … somebody else white labels the service for them or does it on their behalf.
Kevin Kumpf
How Supply Chain Risks Work
Your company integrates software from Company A. Company A’s software is built on a foundation provided by Company B. Company B’s infrastructure is managed by Company C. And so on down the line. This supply chain can be dozens of links long. Imagine if a hacker manages to breach Company G, seven steps removed from you, and insert some malicious code. That malicious code could travel all the way down the supply chain to affect your company.
What makes supply chain risks so dangerous is that they’re so hard to defend against. It’s not you being attacked – it’s a company you work with, or one that they work with, or even further down. Often companies aren’t aware of more than one link in their supply chain. It’s really hard to assess and mitigate risks when it’s almost impossible to get a full picture of every organization in your supply chain. And when data gets compromised for one company in your chain, that compromise ripples down to everyone else.
When data is compromised for one [supplier], it has a ripple effect to the other ones.
Kevin Kumpf
Mitigating Supply Chain Risks
Supply chain risks are a huge danger to companies, and they’re more challenging to manage than if an attacker was just targeting your company. But that doesn’t mean it’s impossible to defend yourself and your organization against supply chain risks. There are steps you can take to be more prepared and reduce the impact of compromise.
Baseline
This is Kevin’s number one tip for identifying and mitigating supply chain risks. Baseline, baseline, baseline. Look at what the baseline for things are in your industry. This could be your own people, processes, or technology, or someone else’s. But you need to know where your eyes and nose are, where your interaction points are, which systems talk to which systems, and what data is being exchanged.
You also need to baseline normal performance for every area. What should everything look like when things are working smoothly and there are no problems? If you don’t know what’s normal, you won’t be able to spot when it’s abnormal. You also need to know who is responsible for what. If there’s malware in a particular system and you’ve determined you haven’t been breached, you need to know which supplier to hold responsible. If you don’t know the baselines and who’s responsible, you’ll never be able to properly assess your risks or take the necessary security posture.
Kevin was once hired to help an organization with their multi-cloud environment. He had been told that when any instance gets up to 85%, it kicks off another instance. On his first day, he asked to just sit and watch the environmental parameters and system performance for a bit. He noticed that two instances were up to 97% – far above the 85% baseline. He and the team lead investigated. It turned out that there was crypto mining malware in those instances. Knowing baselines helped identify that malware was there. Once they knew it was there, they could get rid of it and figure out how it got in.
Understand Your Data
Another step to reducing your supply chain risks is understanding where your data, or other components or information, fits into your business process. It’s key to know how critical that information is. Consider how important it is right now. But also consider what would happen if you somehow lost access to it tomorrow.
The key point is knowing how critical that information is not only to your business at this moment in time, but if it went away tomorrow.
Kevin Kumpf
Your smartphone is a great microcosm of a supply chain. It’s important to you, and you put a lot of valuable and important information on it, but you don’t really have control over it. Imagine you wake up tomorrow and your phone just refuses to turn on. Do you know what’s on it? If a major glitch wipes all its information, or someone steals it, or it falls in a lake, what would you lose? Some people think that they can just recover it through the network, but what if the network can’t do that? You have to treat yourself as “the network.” Supply chain risk management for your smartphone would be making sure that even if your phone was destroyed right now, you can just walk into a store, get a new device, and not lose anything important.
The same is true in business. Know what data you need to make your organization function. Then put systems in place so that even if all that data was deleted or destroyed tomorrow, you would still be able to operate.
Don’t Put All Your Trust in the Systems
Kevin can guarantee that his wife has accounts where she doesn’t know the login information, doesn’t get statements, and only knows the bill is paid because it notifies her. But if that auto-pay system stops working, or that notification doesn’t come in, that’s a supply chain problem. If the ecosystem is a bunch of systems working together, what kind of risks come in when something breaks or is compromised?
Trusting the systems without knowing how they work and what’s involved opens you up to a huge amount of supply chain risks. One real-world example is from Kevin’s time in the banking industry. A disgruntled employee was about to retire. This bank had mainframes with various jobs scheduled to run every week. The code hadn’t been touched in twenty years. Before he left, the employee modified that code and changed how the mainframes ran payroll.
The next time payroll ran, the checks were very different amounts. Senior leadership got nothing; lower-level employees got all different amounts. Nobody checked the system because it had always worked. By the time someone figured out that it was wrong, the checks had already gone out. Nobody knew how to fix it because the disgruntled employee was the one who wrote the code for the mainframes, and he was already retired and moved to the South Pacific.
The bank trusted the system completely. That became a problem when the system no longer worked as planned. You need to have a way to find out if something breaks or stops working how it should. That can avoid these types of risks.
Dealing with Supply Chain Risks When the Problem Isn’t Yours
Dealing with supply chain risks and dangers can be a challenge. It’s especially difficult if you’re doing your job, your partner company is doing their job, and the compromise is multiple links away but still rolling down into your company. Everybody thinks a third-party risk assessment will help. But many people in security have done those and reported that they shouldn’t trust a particular company, only to be told that they’re the only supplier available or there’s already a contract in place, so they should all pretend they didn’t do a risk assessment.
Kevin tells people if you want a long-term job in industry from a cybersecurity perspective, get good at contract review. If you’re farming out a service, you need to know where that service is. And it’s the things that you don’t ask in a contract or assume are implied are the things that cause the biggest supply chain risks.
What does this potential partner company do in their environments? Do they share data? What data is being shared and where? What third parties do they use to do what they do? Who owns the code they’re creating for you or your applications? What are they resourcing or outsourcing? What is their system redundancy plan if something happens? All of these answers should be in the contract but often aren’t.
Data is Everywhere
There’s the new world of IoT, the Internet of Things – but Kevin prefers to call it the Internet of Threats. If you look at the devices out there now, third-party data is going out that nobody knows about. Big cloud providers are starting to collect diagnostics and sell data. We’re going to see even more data out there.
You may be asking, where do supply chain risks come into that? Say all the lights in your facility are being managed remotely by a provider optimizing them for energy efficiency. Suddenly, all the lights in your facility go off. It’s not because somebody flipped the wrong switch. Somebody breached the provider, because in this situation, the supply of light is supply chain.
Whether you’re an end user, small business, or a Fortune 500 company, you can’t imagine how many devices, hardware, chunks of code, apps, and more are sitting in places that people don’t think about or don’t know exist. There was a recent news article where a man started looking at what was using so much of his home’s bandwidth, and it was one of his appliances. There’s most likely not anything in the agreement that says it can’t do that. What’s your option now? Take that appliance back?
It’s almost implied now that you are feeding the global supply chain of data, whether you want to or not, and yet asking what that data would be is impossible.
Kevin Kumpf
Working with Your Partner Companies
It’s extremely important to work with the third-party companies your organization works with to understand the important data and components that go into your process. Build a bridge. Yes, there’s the legal terms in a contract, and you shouldn’t skip that. But also come together and say that you trust them enough to make them your partner, but things are going to happen. When they do, you want to be able to work together with them to resolve the issue, restore them, and keep you up and running.
That’s where teams come in. If you keep your partner companies at arms’ length, with a mindset that you can’t trust them, that’s where a lot of problems begin. You have to open doors to each other. Technologically, a lot of the doors are open. But they are open in an uncontrolled, sometimes unintentional way. Find a way to connect on the human side.
Supply Chain Risk Numbers Everyone Should Understand
Zero day supply chain attacks are on the rise. We’ve had 3,205 attacks this year, which is 72% over the previous record. But on the other side of the coin, the number of individuals actually breached is down from 425 million to 353 million. But that’s still nearly half a billion people.
We’re seeing more exploits with a deep understanding of the core technologies and how to use protocols, ports, and services. It’s also easier now to tune up firewalls and other security technology to look for specific types of attacks. The problem is that people don’t know their baseline. If you don’t know what’s normal, you’re not going to be able to identify what’s abnormal. That’s where supply chain risk management needs to start.
You can find Cyolo online at cyolo.io. You can connect with Kevin Kumpf on LinkedIn.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
Passkey Security is the Future of Account Access
Phishing and account breaches have been a problem for years, and it’s not going away. In fact,…
[Read More]A Cybersecurity Framework for Protecting What Matters
The world of online threats is ever-changing. Sophisticated phishing, AI-powered attacks, and more are making it ever…
[Read More]There’s No Such Thing as a Safe Account
You get a call from your bank’s fraud department. There’s been fraud on your account – a…
[Read More]What to Do if a Loved One Lost Money to a Scammer
Scams and scammers are everywhere. Even if you haven’t personally been caught in a scam, you probably…
[Read More]Identity Crimes: Impact and Recovery
It’s not just identity theft anymore. Criminals have expanded to a whole range of identity crimes. And…
[Read More]How to Set (and Achieve) Good New Year Resolutions
It’s the time of year when people start thinking about New Year resolutions and making changes in…
[Read More]