CIO Insider

CIOInsider India Magazine

Separator

The Invisible Risk To Supply Chain And Why It Is A Top Security Priority

Separator
Shrikant Shitole, VP (India & SAARC), FireEye, Inc

A professional leader with 26+ years of experience and collaborative skills and abilities in team management and forging business partnerships to expand business coverage.

The COVID-19 situation has again renewed focus on supply chain management. While India comprises a reliable supplychain network(SCN) that is strongly connected through modern communication and technology, supply chain resilience will soon become the top priority, especially with the increasing demand for online ordering services, and due to a surge in bulk buying behavior of the consumers. Certain aspects of consumer buying patterns have also changed ever since the lockdown was imposed in India in March. It has directly affected the process of procurement at various levels and increased the security risk to the supply chain.

Today, organizations are struggling to catch up to ever-increasing demands for new services, new capabilities and better customer facing goodness, teams are looking to leverage and integrate more third-party developed offerings in order to meet tight deadlines. The risk to internal systems is higher than it was in the pre-COVID world.

As these components become fully intertwined with internal systems, it becomes harder to identify individual sources that impact their security and, more importantly, clearly highlight dependencies and risks from this supply chain. We have observed recently that cybercriminals are moving towards more controlled systems that just focus on stealing data. And the pandemic has been a tailwind to this ever growing trend.

Ultimately, while organizations have many formalized partnerships, there may be many more that are not reviewed and are not part of a centralized procurement. These completely circumvent any security audit or even basic identification. Even approved vendors and technology partners can be exposed to an undocumented supply chain, since they also leverage solutions and code from other third parties in their own hopes to better serve us and do so more quickly. This process is further exacerbated as organizations look to leverage more cloud-based capabilities and code.

How Can We Protect These Internal Systems?
It is practically impossible to review and exhaustively test every single line of code that has been introduced in application or service. This is like the alert overload problem most security teams experience in their day to day operations.

While organizations use these brand monitoring and threat detection services internally for their brands and key personnel, it can be extended to partners, third parties and few vendors to establish top security for the entire internal system


However, most of the security teams use an intelligence based approach and streamline the process of critical threat identification and take steps ahead to minimize the supply chain risk. As a starting point, there are many fewer vendors, partners and thirdparty sources of code and services than there are lines of code. While documenting these relationships, there will not be a simple task that can be achieved in a few days it is a human scale task and it can be improved over time as awareness of the need to document these relationships becomes more prevalent and integrated in various activities.

Once these relationships begin to be documented, they can be monitored for issues, reputation, brand and other concerns by scanning for news stories, articles and mentions in forums and other sites about the organization itself, the third parties that are part of their supply chain, their key executives, contributing personnel and more.

While this effort can be a tedious undertaking if performed manually, service providers are available that offer this insight. While organizations use these brand monitoring and threat detection services internally for their brands and key personnel, it can be extended to partners, third parties and few vendors to establish top security for the entire internal system.

The combination of threat intelligence data and monitoring issues by placing all the components in line will help organizations develop a 360-degree view of any potential threat across the system. It will provide ease to regularly update the risk score and quickly identify any concerns before they hit a critical level. This is a scalable approach to mitigate and work towards the potential risk landscape.

Conclusion
As India is moving towards preparing itself for the adversaries caused by the pandemic every single day, securing these internal systems, the supply chain networks including externally connected vendor systems will be a tedious but scalable approach to protect the entire supply chain ecosystem of the organization.

Current Issue
ARETE: Pioneering Cyber Risk Solutions & Transforming The Future Of Cybersecurity