When companies think about security, they most often think of securing their networks, software, and digital assets against cyber attacks and data breaches. But the supply chain - whether a traditional manufacturer or service provider's supply chain or the "data supply chain" relied on by most large companies - is also vulnerable to security risks, as has been seen in a litany of major data breaches via third parties.

Practically every company has a place in the supply chain, and supply chains are evolving to be as much about the flow of information as they are about the flow of goods and services. Thus, it comes as no surprise that supply chain security is a highly complex, evolving function, and it's one that security pros and business executives are giving more attention as the risks facing information throughout the supply chain become increasingly obvious.

Supply chain security is every company's responsibility. The supply chain as a whole is only truly secure when all entities throughout the supply chain carry out effective, coordinated security measures to ensure the integrity of supply chain data, the safety of goods, and the security of the global economy. To find out what tactics and methods companies can utilize to enhance the security of their supply chains and contribute to global supply chain security, we asked a panel of security experts and supply chain professionals to answer this question:

"What steps should companies take to secure their supply chains against cyber attacks/data breaches?"

Read on to discover what experts say about the most effective security tactics for securing the supply chain.

Meet Our Panel of Security Experts and Supply Chain Professionals:

Ondrej Krehel Chadd Carr Chris Roach Daniel Cohn Steve Durbin Andrew Ostashen Aviv Raff Linda McConkey

Rob Pate Braden Perry Avi Freedman Satwant Atwal Lewis Daniels Adrienne Johnson David Kruse Mike Baker

Scott Sobel Sonal Sinha Kelly Bell Tunio Zafer Bill Ho Vadim Vladimirskiy Steven J.J. Weisman, Esq.

---

Ondrej Krehel

@LIFARSLLC

Ondrej Krehel, CISSP, CEH, CEI, EnCE, is the founder and principal of LIFARS LLC, an international cybersecurity and digital forensics firm. He's the former Chief Information Security Officer of Identity Theft 911, the nation's premier identity theft recovery and data breach management service. He previously conducted forensics investigations and managed the cyber security department at Stroz Friedberg and the Loews Corporation. With two decades of experience in computer security and digital forensics, he has launched investigations into a broad range of IT security matters, from hacker attacks to data breaches to intellectual property theft. His work has received attention from CNN, Reuters, The Wall Street Journal, and The New York Times, among many others.

"This is extremely important and often overlooked. It's always recommended to request all third-parties..."

To be certified to a compliance standard that you need to meet and/or to standards they need to meet.

In retail, that would be PCI-DSS - this will ensure that at least a certain level of data security is being met. It will not guarantee maximum security of the data, but it does show that the supplier is focused on security.

In healthcare: HIPAA - ensures protection of Protected Health Information - such as medical records.

In military: ITAR - International Traffic in Arms Regulations. In addition to military technology, these regulations apply to sensitive and protected military information.

There are many other information security compliance standards that may apply to your suppliers depending on the industry and the specific area of focus.

In addition, if it is within budget, I recommend calling a third-party audit on their security to truly ensure they are compliant.

---

Chadd Carr

@chadd_carr

Chadd Carr is the Director of PricewaterhouseCoopers (PwC) National Cyber Threat Research Center. As a former Special Agent with the Air Force Office of Special Investigations, Chadd has over 18 years’ experience in cyber security, network intrusion investigations, computer forensics, and information operations expressly related to the financial services sector. As a Director with PwC, he oversees PwC's Cyber Threat Intelligence services, servicing both national and international clients, throughout all sectors.

"There are a few steps steps should companies take to secure their supply chains against cyber attacks and data breaches..."

1. Companies should consider defining reasonable levels of security and associated controls; requiring sub-contractors, vendors, and critical supply chain partners to meet or exceed those standards as terms and conditions of established business agreements.

2. Companies should consider adding vendor-identifiable information to any existing cyber threat intelligence activities to identify instances of emerging threats or active attacks. Threat actors may compromise a lesser-defended vendor network identified as having access to the principal enterprise network. Awareness of these activities would allow the parent company to initiate countermeasures before the threat actor has the opportunity to move laterally onto their network. Cybersecurity, much like life, requires collaboration.

---

Christopher Roach

@cbz

Christopher Roach is the Managing Director and National IT Practice Leader at CBIZ. Chris is an IT expert who offers cybersecurity solutions to clients nationwide.

"When dealing with your supply chain in a B2B relationship you are able to be more prescriptive as to how..."

You interact with members of your supply chain and what security measures you are expecting to maintain. When working with a supply chain vendor's organization, assess the vendor's cybersecurity risk for sharing data, interfacing networks/systems and establishing access to networks/systems. Areas being looked at include:

• Conducting vendor risk assessments - To mitigate your vendor-related risks, organizations should conduct a thorough, annual vendor risk assessment and perform the necessary due diligence with third-party relationships. Due diligence can help you identify what the vendor might require in terms of controls and monitoring.
• Defining data ownership/stewardship requirements - Who maintains ownership of data being shared and what is acceptable use of that data?
• Defining regulatory compliance requirements - Are there regulatory requirements that need to be met and maintained by both parties? Be able to monitor compliance.
• Maintaining incident response plans - Both parties need to have a plan to notify the other if their network, systems or data have been compromised or a compromise is suspected.
• Requiring SSAE 16 SOC Reports - Service organizations should maintain SOC 2 Type 1 & Type 2 reports, based on applicable guiding principles (i.e., Security, Availability, Processing Integrity, Confidentiality, or Privacy).
• Information and Communication - Written communication plans that address what information is distributed to whom are highly recommended. Third parties involved with your organization's IT security should be considered part of this communication plan, and your organization should be part of theirs, as data breaches on their end could affect your data.

Organizations often follow good security practices including:

• Monitoring vendor access to networks and data.
• Establishing boundaries and limiting access to those boundaries.
• Monitoring and logging vendor access and reviewing logs on a regular basis.
• Training employees on the cyber risk specific to your supply chain environment.
• Control activities - internal controls are essential to the effective operation of all organizations. Control activities are the policies and procedures designed by management to protect the organization's objectives and goals from internal or external risks. Some common and important cyber risk control activities are logical security, change management, mobile devices and wireless acces controls, backups, monitoring of third party providers and cloud services.
  • Logical security controls help make sure that one person does not have too much power or influence over your organization's cybersecurity.
  • Change management controls can regulate updates and other modifications that go into production.
  • Mobile device and wireless access need controls to protect them from unauthorized access.
  • Backup controls should also be in place to protect your data backups. Your organization needs to know what is backed up and where it is being stored, be it a data center, third-party provider or cloud provider. Backup controls to implement include real-time notification and resolution of backup failures, off-site back up and replication and periodic restores.
  • Whenever you are working with a third-party service provider, you also need to make sure your organization is knowledgeable and involved in the provider's disaster recovery plan.

---

Daniel Cohn

@CohnAtlanta

Daniel Cohn is the president and founder of Cohn Consulting Corporation in Atlanta, GA. Daniel has a Computer Science degree from RPI College in Troy, NY and developed an extensive knowledge of communications, PC's and servers and networking systems in his work as an IBM systems engineer. He founded Cohn Consulting Corporation in 1993, delivering Fortune 100-class consulting and services to the small and medium business marketplace.

"Supply chains can be secured by addressing three key areas..."

Codified policies and legal agreements; defined limited access with monitoring and auditing; and robust internal IT security technology and policies.

Policies and Agreements: Companies first and foremost must ensure that any supply chain vendors have security policies and procedures that are codified, validated and certified. Validation and certification can be verified through legal certifications like HIPAA Business Associate Agreements or accredited auditor reports like a PCI Audit. Furthermore, the validity and reliability of security measures can be verified through in-house or third-party testing of systems and procedures. Contracts between companies and their relevant vendors should be drawn up to clearly outline the access and use guidelines so as to accurately allocate liability in the case of breach. These agreements should also require supply chains to notify vendors or partners of breaches in a timely manner so as to prevent further invasion or hacking of business data.

Limited Access: Additionally, security can be strengthened even further by establishing a system of limited network access for relevant vendors. Access should be as restricted as much as possible and checks and balances should be put in place to maintain this restriction. Any access by supply chain vendors or partners should be monitored and audited to ensure the appropriate nature and extent of use. As relationships with different businesses and partners will vary, there is no 'one size fits all' solution and levels of access will differ. Therefore, all stakeholders for those systems need to be involved in setting up the appropriate mechanisms of security, access, monitoring, auditing and management. There must also be consideration made for the fact that establishing network access for vendors can't be handled using a 'set it and forget it' approach. Security mechanisms should be regularly and continually reviewed to determine areas of weakness and implement necessary changes.

Internal Security: Finally, businesses themselves must employ responsible, proactive and defensive IT strategies consistently. This includes standard IT solutions like antivirus, anti-spyware and firewall technologies but it must go further than that. Advanced IT technologies including DNS filtering, network access control and exception altering are incredible assets for secure and thorough protection. Intelligent business continuity systems should be implemented to allow for an efficient and full recovery in the event of any kind of breach. Intelligent business continuity solutions include both local and cloud-based imaging back-up solutions and the ability to reinstate systems to a point prior to the breach so as to efficiently restore business functionality.

Implementing proactive, extensive and validated IT security solutions and establishing clear and limited access guidelines for supply chain vendors are a company's greatest defense against cyber attack. Ensuring these defense mechanisms are in place and continually monitored is critical to the protection of both business and vendor data and continued productivity.

---

Steve Durbin

@stevedurbin

Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

"When I look for key areas where information security may be lacking, one place I always come back to is the..."

Supply chain. Businesses are increasingly concerned about managing major supply chain disruptions, and rightfully so.

Supply chains are a vital component of every organization's global business operations and the backbone of today's global economy. However, security chiefs everywhere are concerned about how open they are to an abundance of risk factors. A range of valuable and sensitive information is often shared with suppliers and, when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised.

Security is only as strong as its weakest link. Despite organizations' best efforts to secure intellectual property and other sensitive information, limited progress has been made in effectively managing information risk in the supply chain. Too often, data breaches trace back to compromised vendor credentials to access the retailer's internal networks and supply chain. Mapping the flow of information and keeping an eye on key access points will unquestionably remain crucial to building a more resilient information system.

Organizations need to think about the consequences of a supplier providing accidental, but harmful, access to their corporate data. Information shared in the supply chain can include intellectual property, customer-to-employee data, commercial plans or negotiations and logistics. Caution should not be confined to manufacturing or distribution partners. It should also embrace professional services suppliers, all of whom share access, often to your most valuable assets.

To address information risk in the supply chain, organizations should adopt strong, scalable and repeatable processes – obtaining assurance proportionate to the risk faced. Supply chain information risk management should be embedded within existing procurement and vendor management processes.

The time to make supply chain security enhancements a priority is now. A well-structured supply chain information risk assessment approach can provide a detailed, step-by-step approach to portion an otherwise daunting project into manageable components. This method should be information-driven and not supplier-centric, so it is scalable and repeatable across the enterprise.

---

Andrew Ostashen

@VulsecLLC

Andrew is co-founder and principal security consultant at Vulsec, LLC, a Boston-based firm established to provide clients with the highest methodologies in data protection by delivering versatile tactics to safeguard information technology departments from hackers.

"To avoid being hacked, owners of businesses of any size should look at their supply chains in the context of..."

Understanding where their sensitive data is stored and how data flows within the infrastructure to identify and understand a breach. They should also recognize the following steps:

1. Be able to answer: "Is my organization currently breached?" by having proper insight into possible attacks against your infrastructure.

2. Run Continuous Vulnerability Assessments against servers, workstations, and networking equipment to ensure risks from vulnerabilities are mitigated.

3. Conduct Social Engineering Assessments (remote and physical) against employees and any representatives who might work outside of the company but within your supply chain and implement proper training.

4. Ensure Bring Your Own Device does not increase corporate risk; reduce this risk with Mobile Device Management, Mobile Threat Protection Mechanisms, and policies.

5. Conduct Enterprise Risk Assessments to ensure an Information Security Program, deployed technology, and employees are all in sync and working properly.

6. Make Information Security have a seat of power on the Board of Directors to help with the planning and implementation of the Information Security Program.

7. Implement honeypots, or traps, around your infrastructure to trap a malicious attempt before it reaches your CDE networks or breaches critical assets.

8. Implement Threat Intelligence into the infrastructure to catch propagating malware, data exfiltration, and unauthorized access attempts before they cause damage.

9. Be aware of your organization's external infrastructure which is the gateway into your internal network from people around the world. Reduce servers and services while increasing security measures like Web Application Firewalls and Distributed Denial of Service absorption techniques.

10. Keep Secure Architectural Engineering at the forefront of your organizations' mindset when implementing technology, training users, and expanding offices.

---

Aviv Raff

@avivra

Aviv is the Co-Founder and CTO of Seculert, an attack detection and analytics platform. He has over 10 years of experience in leading software development and security research teams. Aviv has published several pioneering security research articles, and is a frequent participant and requested speaker at information security conferences worldwide.

"With recent breaches, companies now starting to understand that their supply chains have become..."

Their weakest link. In order to address this problem, companies should apply similar security methodologies that they use in order to protect their own infrastructure. Of course, there are some limitations, but this is still possible. The first step is to gain visibility. For example, map all the different assets that the suppliers are using within the company, and/or have access to in a secured (or insecured) manner. The second step is to introduce or improve controls. Most companies already have some controls in place around the assets that involve the supply chain. The company should improve those controls to address access of an external entity with higher risk (the supplier), or introduce new controls around those assets if they do not exist. The last step is incident response. Companies should realize by now that eventually security incidents will happen. They must include steps and workflows within their incident response process that involves their supply chain. For example, what happens if the source of the leak is the supplier? What should we do if the compromised asset belong to the supplier? etc.

---

Linda McConkey

Linda McConkey, Managing Director, O'Keefe, focuses on serving a diverse group of clients in the Business Optimization and Technology Services space. She leads client service teams delivering enterprise risk management, implementations, program and project manag ement solutions, risk and governance projects, and integrated IT audits.

"A data breach involves the confirmation that data has been disclosed to an unauthorized party. The time to compromise on confirmed breaches is..."

Days or less, as speed is one the attacker’s strongest weapons. Preparing for cyber-attacks is a constant and evolving function. New vulnerabilities are generated daily, and a disciplined approach to managing them is needed – to remediate older known vulnerabilities and to mitigate vulnerabilities when an identified vulnerability cannot be resolved due to process constraints, patch unavailability, or defined incompatibilities.

The supply chain contains arguably greater risk for attacks due to the volume of external supply chain partners to which components of the systems are accessible, share data, and transact business. The end-user can still be easiest mechanism for malware to be brought into the ‘system.’ Detection and response solutions that enable the identification of ‘good’ vs. ‘bad’ traffic, anomaly detection, and predictive failure analyses allow the organization to potentially detect and more efficiently respond to cyber-attacks that signature-based solutions can miss.

Threat prevention is a constantly evolving industry itself with a wide range of new security, protection, and detection solutions. The challenge is to identify the set of products that can function well together across prevention, detection, and response. Threat detection service providers assist in identifying better-fit solutions for the supply chain to make sure not only internally but across their supply chain ‘members’ are following best practices in cyber security.

---

Rob Pate

@Cloudburstsec1

Rob Pate is Executive Vice President of Cybersecurity and Strategic Development at Cloudburst Security. He was recognized as a top Federal 100 executive for his contributions to government IT. Pate founded GFIRST, led the US-CERT situational awareness program (a.k.a. Einstein), and managed the federal government's CISO Forum. He actively participates and has held leadership positions on various boards, such as the Infragard National Members Alliance; Internet Security Alliance; ITSEF; and NCSA. Pate holds a degrees in Mathematics from UNC-Chapel Hill, and has done graduate work at Johns Hopkins, Stanford, and Georgetown--where he completed their Senior Executive Leadership Program.

"Supply chain attacks pose a serious threat to all organizations and need to be considered as..."

Part of your overall risk strategy. Here are four basic steps that you should take to better improve your supply chain security:

1. Always be diligent about conducting background checks and detailed screenings as a part of your organization's hiring practice.

2. Don't ever think that a supply chain security breach couldn't happen to your organization. Be proactive and understand your geopolitical environment. This will help you to understand organizations that may be motivated to cause harm or seek access to your resources.

3. Your organization is only as secure as it's weakest link. Know your vendors, suppliers, and partners. Then, take reasonable steps to verify their security practices and procedures.

4. Implement a robust, centralized governance process for IT procurements. Limit the number of people who are authorized to purchase--or enter into contracts--for products and services that may connect to your networks. Ideally, this process should be linked to your organization's cybersecurity team, allowing products and services to be vetted for potential risk and negative impact.

---

Braden Perry

@bradenmperry

Braden Perry, is a regulatory and government investigations attorney with Kansas City-based Kennyhertz Perry, LLC. Mr. Perry has the unique tripartite experience of a white collar criminal defense and government compliance, investigations attorney at a national law firm; a senior enforcement attorney at a federal regulatory agency; and the Chief Compliance Officer of a global financial institution.

"I work with a number of vendors on data breaches. Generally, there's more of a threat by..."

Rouge insiders. There's not much, besides compartmentalization and monitoring, you can do if an insider wants to reach data. For outsiders, most attacks compromise legitimate websites to deliver malicious payloads which can then reach data. This can usually be prevented. While no single strategy fits all, practicing basic cyber hygiene would address or mitigate a vast majority of security breaches. Being prepared if an intrusion occurs is also critical and having a communications method for response, actively monitoring centralized host and networks, and including an enhanced monitoring to detect known security events is a must. With a well-oiled cyber policy, you can mitigate outsiders significantly. Specifically for supply chains, it is critical to monitor and review your vendors and to mitigate any excess entry points into the system. Target and Home Depot are high-profile examples of supply chain monitoring gone wrong. Following critical data and the data stream can identify areas where more monitoring is required can also minimize undetected intrusions. While it is impossible to prevent all intrusions, having a cyber policy that identifies weaknesses within the supply chain and enhancing security/monitoring will lessen the risk of landing on the ever-increasing list of companies breached.

---

Avi Freedman

@kentikinc

Avi has decades of experience as a leading technologist and executive in networking. He was with Akamai for over a decade, as VP Network Infrastructure and then Chief Network Scientist. Prior to that, Avi started Philadelphia's first ISP (netaxs) in 1992, later running the network at AboveNet and serving as CTO for ServerCentral. He is now the Co-Founder and CEO at Kentik.

"If I were a CIO, I would resource and task my teams to develop..."

A digital supply-chain game plan. It would require developing a map of all digital trading dependencies, from end-users to API calls. It would involve developing the expertise to play the Internet-connectivity game like owners – and not renters – of digital destiny. For example, instead of simply trusting a couple of major telcos to carry all our traffic, actively exploring and executing direct Internet connectivity with major digital trading partners. And it would certainly include investing in cloud-scale, big data tools to equip my teams to run a data-driven operation, rather than relying on educated guesswork. Because if digital business is the game now, mastering your digital supply chain is how you play to win.

---

Satwant Atwal

@IMRInews

Satwant Atwal heads the Cyber Security practice for Information Management Resources, Inc. (IMRI). Atwal is responsible for the company’s product and service offerings within the federal and commercial sectors and possesses diverse industry experience in the design and implementation of cyber security solutions for organizations of all sizes.

"To secure their supply chains, companies should take the following steps..."

1. Enforce proper security controls for all partners and vendors.

2. Implement solutions that provide complete visibility of the enterprise network with continuous monitoring.

3. Implement systems for back-up and recovery in case of a malware infiltration.

---

Lewis Daniels

Lewis Daniels is the founder of Salvador Partners, which specializes in supply chain security.

"The supply chain has similar risks to most aspects of security..."

The supply chain needs constant feedback, it needs audits and it needs controls. Vulnerabilities in the supply chain are often targeted due to the lack of control outside of the company's own structure. Auditing suppliers and maintaining a healthy, up-to-date record of the security policies of all of your suppliers is a very good place to start.

---

Adrienne Johnson

@CorpInfo

Adrienne Johnson has worked in the Information Technology field for nearly 25 years. She specializes in closing the gap between engineers and business managers. Adrienne helps business managers understand the business implications of technology and provides insight to help them better select the solutions that are best for their organizations. Currently, she is the Communications Manager for CorpInfo.

"Insider security threats are significant whether due to intentional action or carelessness. However, frequently overlooked groups of insiders are..."

The vendors, partners, contractors and service providers that constitute the supply chain. These organizations may have trusted access to critical infrastructure.

An organization's network and data is only as secure as the security measures in place with the third parties that access their environment. Therefore, it is important to enforce security fundamentals throughout the supply chain. Practice risk management on third-party vendors, partners and service providers. Key practices to building a risk management program include:

• Performing risk assessments on vendors
• Maintaining an inventory of all third parties that handle sensitive data
• Requiring partners to comply with your organization's privacy policies
• Conducting ongoing monitoring
• Establishing robust contractual protections
• Implementing technologies and processes to safeguard against internal threats and ensure privacy
• Considering restricting privileged users to only the systems and resources required to perform job

---

David Kruse

David Kruse, CISR is a Commercial Account Manager for Hausmann-Johnson. David’s goal is to help clients think no more about their insurance than they want to, and effective customer service is the tool he uses to accomplish that goal. Prior job experience in the banking industry instilled in David a high sense of urgency around everyday matters. He knows that until a problem is solved, clients are using valuable downtime that could be better spent running their business.

"Companies should prioritize information security risk management based on two factors..."

Those that that they have the most direct control over and those that will have the greatest impact. Endpoint risks and user-centric risks (risks related to servers, laptops, mobile devices, etc, and the employees that use them) fall especially close to this juncture. According to the 2015 Ponemon State of the Endpoint Report: User-Centric study, “negligent employees are seen as the greatest source of endpoint risk.” The number of employees accessing company data, from a myriad of devices and locations, is increasing. As such, it’s critical that each employee view themselves as a pseudo-IT professional with regards to protecting sensitive data. This can be done in a few ways:

1) Raise awareness of how data breaches can occur, and how every employee can both cause and prevent one from occurring. Specifically, ensure employee awareness of:

a. Social engineering

b. Password security

c. Email and web browser security

2) Don’t overlook the basics: make sure that anti-virus/malware programs are updated regularly. As threats evolve, it’s crucial that your system’s definitions are updated along with them.

3) Turn a negative into a positive. The Ponemon Institute reports that more organizations are trending towards viewing endpoints as tools to “detect and respond” to security events. Rather than viewing endpoints strictly as liability, view them as security sensors that can help you identify possible security events before they turn into breaches.

Look up and down your supply chain, and ask your business partners about their data security policies and practices. Data security is not optional, and a lackadaisical approach is not acceptable. Consult with your IT advisor to put in place policies and systems protect your data, and then ask your business partners to demonstrate that their policies and practices at least meet the standard of your own.

Finally, a robust information security/cyber liability insurance policy should be your last line of defense to protect your company in the event of a breach. A good policy will include the services of a breach coach who will work with you to coordinate the services of forensic IT professionals, PR, notification and credit monitoring services, and a legal defense team. Their experience will be invaluable in the event a breach is discovered.

---

Mike Baker

@Mosaic451

Mike Baker is founder and Principal at Mosaic451, a cybersecurity service provider and consultancy with specific expertise in building, operating and defending networks.

"In order to secure a supply chain against cyber attacks organizations of any size must..."

Limit access to data. Employees should be able to access only those systems and data that they absolutely need to perform their jobs. So that all activity can be traced to a particular user, each employee should have a unique access ID and should be authenticated using a strong password or passphrase, biometrics, or a token device or smart card. Strong cryptography should be used to render all passwords unreadable during storage and transmission. Physical access to systems and consumer data should also be restricted to prevent employees and building visitors from accessing or removing devices, data, systems, or hardcopies.

Web filtering is also a necessary nuisance. If you examine the largest data breaches, phishing scams, and companies held hostage by ransomware of 2015, technology did not protect the vast majority of these companies. In each case, data was breached due to hackers/phishers successfully exploiting humans (i.e. employees). Utilizing standard web filtering technology to block the use of social media sites, or at least allowing viewing of social media but disallowing posting to these sites with policy-based application aware technology may seem like a slam dunk security solution, but will it hinder business? Providing safe access to dynamic content and personal information is a question that must be addressed internally. Making web filtering policies a collaborative effort between management and all employees can ensure that all needs and viewpoints are addressed.

---

Scott Sobel

@kglobaldc

Scott Sobel is the Senior Strategy and Communications Executive for the Washington, DC-based kglobal agency. Kglobal teams have managed crisis and data breach preparation and response for many industries and clients.

"Supply chains are particularly vulnerable to cyber attack..."

How should you prepare? The Issue Supply chains have many moving parts, many contributors and, notably, many points of entry into data, opening the door to hackers and insiders with bad intentions. Most businesses are seeing an increase in cyber breaches designed to gather sensitive client or competitive information that can be manipulated, e.g. information for insider trading or even information a cyber thief might use to blackmail a company … a so-called ransomware attack.

Crisis managers say it is not a matter of if a company will have cyber trouble, it is a matter of when the trouble will happen and how it will manifest. Recent news shows no one is immune, from national political parties and big box stores to health care providers, law firms, manufacturers and transportation facilitators.

Tips:

• It is always much harder to protect your business when an attack is in progress; it is always wiser to have a crisis plan in place, when there is more time for thoughtful preparation.
• Make sure your suppliers and vendors also have a crisis plan and prevention strategy in place.
• Hire a professional and get your social media and cyber breach crisis plan in place right now.
• Create crisis scenarios and how they will be handled and by whom.
• Create a social media section for your business handbook and outline what is permitted and isn’t, what may be legal and illegal about handling secure documents or information. Let staff know there are stiff penalties for data breach involvement.
• Monitor or hire a professional to monitor all online conversations about the business to look for anomalies that might indicate a hack is in the works.
• Be careful of responding to all communications and emails, verify the communication is coming from the party identified. There is a trend now for hackers to identify themselves as company or vendor employees who you normally communicate with. The hackers are betting you won’t check email origination too closely.

Priorities:

• Assuming you may be a victim of a breach at some point, make sure you have redundant communications and other systems in place so there is no work interruption.
• Also have a client and vendor communication plan in place for fast and personal contact, if you suffer a breach.
• Create your crisis plan an practice it, do a table-top or role play, at least once a year (maybe more) so that you don’t fumble through the real thing.

---

Sonal Sinha

@MetricStream

Sonal Sinha is the VP of Industry Solutions for MetricStream, a Governance, Risk and Compliance company (GRC), regarding steps that companies can take to protect their supply chains from cyber attacks. As VP of Industry Solutions, Sonal is responsible for driving solutions and strategy for MetricStream in industries such as Consumer Packaged Goods, Retail, and Technology. Sonal comes to MetricStream with over a decade of experience as a Risk Management and Compliance Leader at Global Consulting, Financial Services, and Technology corporations such as Google, Visa and KPMG.

"In securing the supply chain, companies must realize..."

• The need for a holistic and proactive approach to managing cyber risks
• Steps that companies can take to protect their supply chain data from cyber attacks and data breaches
• The importance of a risked based approach to proactive monitoring and compliance processes for supply chain cybersecurity

---

Kelly Bell

@WestbaseTech

Kelly Bell is the head of marketing at Westbase Technology, the leading European distributor of 4G LTE and hybrid networking solutions. Westbase Technology is the exclusive distributor for Cradlepoint, the global leader in wide area wireless networking, and has been named their International Partner of the Year for 3 years running.

"Supply chains are susceptible to cyber-attacks and data breaches because..."

They sit at the edge of the organisation's network. In order to better protect the network edge, companies should look to establish parallel networks which they can run supply chain applications over; this keeps their core network and data secure and separate from the operation, while still enabling their supply chain communication requirements.

A recommended way of establishing this parallel, or air gapped network would be over 4G LTE as it can be rolled out very quickly and cost effectively – it also offers improved flexibility compare to a fixed line alternative. By using enterprise-grade hardware with enhanced cloud software layers, a highly secure network can be established to protect supply chain data communicated over the parallel network.

---

Tunio Zafer

@pCloudapp

TunioZafer is the CEO of pCloud AG, an innovative, fast-growing cloud storage company. He has more than 15 years of experience in business strategy, management and marketing in the field of technology, and has participated in a number of successful business projects.

"To answer this question, we should consider two main factors actively involved in supply chains, cloud technology and online security in general..."

The technology and the human factor. Neither of them is ideal, and both leave room for unauthorized access to sensitive data.

The technological aspect should be solved through complex and sophisticated encryption and multi-layer protection. Client-side encryption is highly preferable here, as with it the data is encrypted locally on the user's machine and can then “travel” securely via email or to the cloud, for example. Multi-factor authentication is another practice businesses should be employing heavily: the more security steps there are between a piece of data and the possible hack attack, the less likely it is for the security breach to be successful.

Then comes the human factor, and this is where things get tricky – people can be incredibly unpredictable and take actions for a myriad of reasons, not all of them being malicious intent – I dare say that many cyber attacks happen simply because a person has compromised a particular system. What businesses can do to solve this is be meticulous when assigning access levels to employees. Of course for this to work, the proper technology/functionality should be in place. Fortunately, this is nothing groundbreaking, and most sensible and efficient supply chain management solutions have implemented role and access controls, as well as for file encryption.

---

Bill Ho

@Biscom

Bill Ho is a cybersecurity expert and CEO of Biscom, a leading edge secure document and messaging solutions company that enables firms to share and store documents securely. Over his 20 year career, Bill has worked closely with various companies in the healthcare, financial services, government, and legal spaces.

"Supply chains are tricky because..."

There can be so many moving parts and 3rd parties involved, but it’s important to maintain your security standards with any partner who might have access to internal systems. To protect yourself from breaches and hacks, consider the following: create and enforce a security policy and procedures document that partners will adhere to; restrict access and authorization to the absolute minimum required (e.g., principle of least privilege); actively monitor the actions from partners, or even better, review and perform the actions on behalf of your partner.

---

Vadim Vladimirskiy

@GetNerdio

Vadim Vladimirskiy is the CEO of Nerdio, a cloud based IT company outside of Chicago

"In our experience, human error usually creates the most vulnerability in any IT security scenario..."

Through social engineering, or through being unaware of the dangers. We recommend a two-prong approach to security: use strong security technology, and make sure employees are following company policy and procedure to reduce the risk of data breaches.

In the real world, that means requiring encryption protocols both on data-at-rest and on data transmission. It can also mean requiring all members of the supply chain to encrypt the devices they use, from cell phones to laptops. That way, if any data is intercepted somewhere in the supply chain, it's indecipherable. It might also mean establishing a contractual obligation with various members of a supply chain to limit risky behaviors. For example, if a shipment of hard drives is being delivered to a secure SAN facility, the driver should be on a set schedule with no deviations, should not attach unapproved devices to company equipment, and should keep a buffer between personal-use and business communication equipment. In other words, monitor the driver's route, don't let the driver plug a flash drive into company equipment, and don't allow the driver to connect a personal cell phone to a company network.

---

Steven J.J. Weisman, Esq.

@Scamicide

Steven J.J. Weisman is a lawyer, college professor who teaches White Collar Crime, author of numerous books including Identity Theft Alert and one of the country's leading experts in scams, identity theft and cybersecurity. He writes the blog Scamicide.com, where he provides daily updated information about the latest scams and identity theft threats.

"The interconnectedness of companies can be extremely time saving and a boon to efficiency, but it carries with it tremendous security threats because..."

We are only as safe as the security of the companies with which we deal. This was proven in the case of the massive data breach at Target where Target's security system was not directly hacked. Rather, it was Target's HVAC company that was hacked from where access was gained to the computers of Target. A part of any comprehensive plan for a company would include the following:

1. Encryption of all data stored and communicated electronically.

2. Dual factor authentication used for electronic payments and access to online banking.

3. Security software and encryption on all devices including smartphones used by employees with all of the software constantly updated.

4. A social media policy that limits information that can be put online by employees that can be used for purposes of spear phishing.

5. Use of anti-spear phishing software and reoccurring training of employees to recognize spear phishing emails.

6. Computer use rules which include never clicking on links or downloading attachments until the legitimacy has been confirmed.

7. Use of Virtual Private Networks when using laptops and other portable devices outside the office.

8. Procedures for wire transfers that require signing off by multiple staff before a payment can be made.

9. Avoiding issues of ransomware by daily backing up of all data with three copies in two different formats with one off site.

10. Limit access of data by employees to only those matters which are required to be accessed by the employee.

---