How secure is your supply chain?

By: Vanessa Quake | 21 Jan 2021

Just as the Monetary Authority of Singapore (MAS) has issued new cybersecurity guidelines for financial institutions to manage third-party service providers and technology vendors, cyber security firm Symantec has identified a fourth malware strain in the SolarWinds supply chain attack.

In an era where we are conducting more transactions online than ever, and where new digital infrastructure is being put in place for expanding “work-from-anywhere” policies, the SolarWinds attacks are a demonstration of what can happen when we are complacent with cybersecurity, not only within our organisation, but also our supply chain.

With IDC predicting that 75% of business leaders will leverage digital platforms and ecosystem capabilities to adapt their value chains to new markets, industries, and ecosystems by 2025, what can organisations do to ensure the cybersecurity of their supply chain?

We spoke to Simon Piff, Vice President of the Security Practice at IDC Asia/Pacific who had some suggestions for organisations wanting to keep their supply chain cybersecurity in check.

1. Don’t trade efficiency for security.

Organisations should instead ensure that they have the right checks and balances in place. “Direct connections from suppliers are high risk ports of ingress for unwanted activity. But they are needed for the purposes of process automation and efficiencies and cannot be disconnected. As a result, organisations need to conduct deep analysis of traffic across these connections, all the time and in real-time, to prevent points of ingress for a breach that allow threat actors to identify any lapses in security of the connected supply chain.”

2. Conduct independent 3rd or 4th party risk analysis.

Assume that people will only say what it is you want to hear. So “asking your business partner if they are secure will deliver only one answer. And that may or may not be accurate based on the fidelity of internal controls of the business partner.”

3. Security is a supporter.

But of course, Simon does point out that while cybersecurity is important and should support the business decisions, it should not drive the business decision. “So if you have suppliers that are struggling with security, work with them to improve on this as this will help build the critical outcome of secure, trust-enabled commerce.”