Supply Chain Cybersecurity – Go Deep, Verify and Avoid the Compliance Trap

Even organizations with sophisticated cybersecurity processes, teams and tools can be inadvertently compromised by a supply chain partner victimized by a successful cyber-attack.

A company’s best protection comes when it obtains visibility into the cyber hygiene of participants at all tiers of its supply chain.
A company’s best protection comes when it obtains visibility into the cyber hygiene of participants at all tiers of its supply chain.

Third-party cyber risk affects every business in every industry, everywhere. That includes yours.  Cyber-based threats continue to grow in volume and sophistication. Literally (and virtually) every company lies within range of bad actors who launch attacks every day. Supply chain interconnectivity puts every participant at risk. That said, adversaries search for the weakest link in the chain, establish a beachhead and use it to achieve their objectives.

Don’t become complacent. Even organizations with sophisticated cybersecurity processes, teams and tools can be inadvertently compromised by a supply chain partner victimized by a successful cyber-attack. Criminals can use legitimate credentials stolen from a trusted partner to access the systems of a more mature organization upstream from the point of entry. Once on the inside, they can inject malicious software that affects critical systems or steal sensitive data or intellectual property that can be shared with competitors to create counterfeit or similar products that neutralize market advantage and drain revenue. When criminals target an otherwise healthy organization downstream from the point of entry with a ransomware attack that disrupts operations, an efficiently functioning end-to-end supply chain slows or grinds to a halt, potentially impacting production schedules and income.

In other words, the scope of a cybersecurity initiative should extend beyond enterprise boundaries. An original equipment manufacturer needs visibility into the cybersecurity hygiene of its first-tier suppliers, those suppliers’ suppliers and so on throughout the chain. Above and beyond visibility, a manufacturer would be well-served to verify the accuracy of what it sees and what its suppliers report about their cyber health. Only with robust n-tier visibility and verification of the cybersecurity capabilities of all direct and indirect suppliers can a business feel confident in its own cybersecurity posture.

But, what makes for strong cybersecurity? Too often, companies fall into the trap of equating security with compliance. They believe that by complying with a recognized standard, such as ISO 27001, that they magically have become secure. Unfortunately, they have settled for a false sense of security because compliance and security are not one and the same.

Organizations will find compliance an insufficient measure of security because compliance only requires “checking a box,” which usually means taking the path of least resistance. Those looking through a compliance lens may be tempted to choose the lowest-cost solution to fulfill a security requirement, regardless of that solution’s performance or sufficiency. Similarly, if a standard calls for a system access control policy, a firm that creates such a policy technically complies. But, does the policy include stringent access control measure? Does the firm educate staff on the contents of the policy? And, does the firm actually enforce the policy? If not, then how much security does the policy really provide?

Relying on a compliance lens quite possibly compromises security, rather than enhancing it.  Use of a risk lens represents a better approach. Although risk cannot be eliminated completely, this lens drives businesses to evaluate policies and solutions relative to their efficacy, so they measure the extent of risk reduction until finding an alternative that produces an acceptable outcome with a tolerable level of risk.

For example, in response to the ongoing loss of vital controlled unclassified information (CUI) by its supply chain, the U.S. Department of Defense (DoD) implemented a regulation in late 2017 requiring any organization handling or storing CUI to comply with the 110 cybersecurity controls identified in Special Publication 800-171 issued by the National Institute of Standards and Technology (NIST 800-171).

Mandating that members of the DoD supply chain comply with such a broad and deep range of cybersecurity controls should have solved the problem, right? Wrong. Instead, the exfiltration of CUI continued, and actually grew, in magnitude, primarily because the DoD allowed its suppliers to just “check the box” indicating they met the requirements, without confirming if, how and how well they implemented and executed those requirements.

The compliance model represents a recipe for cybersecurity failure. The goal of a cybersecurity endeavor should not be compliance. Companies realize effective cybersecurity only when their mission becomes risk mitigation. They must swap the compliance model for a maturity model.

A maturity model extends the compliance model and addresses its shortcomings. A maturity model examines not only if an organization meets a standard’s requirements, but also how well.  It confirms that something has been implemented, that it’s actually being used and that it’s really working. Rather than focusing on just a particular point or snapshot in time, its purview extends over time. In other words, has the business implemented important cybersecurity protections, in what manner, and does it enforce and monitor the effectiveness of those protections continuously for the long haul?

In the wake of the DoD supply chain’s inability to rein in the theft of CUI via supplier compliance with NIST 800-171, it took a different tack. It created the Cybersecurity Maturity Model Certification (CMMC), and mandated that all suppliers (regardless of whether they store or handle CUI) receive accreditation to ensure complete visibility across its vast supply chain.

CMMC also comprises both cybersecurity practices (similar to, and actually, including, NIST 800-171’s controls) and processes. These processes deliver the all-important maturity component of the program, forcing DoD suppliers to do more than just “check the box” on one-time fulfillment of practices, but instead demonstrate their ongoing successful execution of those practices, as well as the suppliers’ commitments to improved cybersecurity hygiene and risk mitigation. In addition, CMMC accreditation comes only after suppliers pass a third-party audit of practices and processes, rather than allowing suppliers to self-attest to NIST 800-171 compliance – a more reliable and accurate approach to verification.

The DoD example demonstrates that even one of the world’s largest organizations with hundreds of thousands of suppliers that exchange sensitive data can struggle to overcome the cybersecurity challenge when it picks the wrong model and the wrong lens. But, no business can afford to have its confidential information, patents, intellectual property or operations threatened by cyber-based attacks. Bad actors will look to do harm by targeting new and innovative threats and tactics at the most vulnerable points of supply chains.

A company’s best protection comes when it obtains visibility into the cyber hygiene of participants at all tiers of its supply chain, and independently verifies what it sees. Most importantly, the definition of what it means to be secure matters. Do not set a goal of compliance and avoid the use of a compliance lens and the complacency that accompanies it because it does not deliver true security. Instead, adopt a risk lens to view cybersecurity, and make the objective to mitigate risk. Leverage a maturity model approach to confirm suppliers have the processes in place to prove they successfully and continuously address and enforce evolving cybersecurity standards. Doing so gives organizations their best chance to stay a step ahead of the bad guys.