{"id":6392,"date":"2021-03-05T19:44:03","date_gmt":"2021-03-05T17:44:03","guid":{"rendered":"https:\/\/tekmart.co.za\/t-blog\/?p=6392"},"modified":"2021-03-05T19:44:05","modified_gmt":"2021-03-05T17:44:05","slug":"tips-for-suppliers-on-how-to-prevent-supply-chain-attacks","status":"publish","type":"post","link":"https:\/\/tekmart.co.za\/t-blog\/tips-for-suppliers-on-how-to-prevent-supply-chain-attacks\/","title":{"rendered":"Tips for suppliers on how to prevent supply chain attacks"},"content":{"rendered":"Reading Time-approximately:<\/span> 4<\/span> minutes<\/span><\/span>\n

Every company, large and small, must assume it is a target in the supply chain. Suppliers should follow these best practices to keep themselves and their customers protected.<\/strong><\/h2>\n\n\n\n
\"Michael<\/figure>\n\n\n\n

By Michael Cobb<\/a><\/p>\n\n\n\n

A big IT security mistake made by many small and medium-sized enterprises, or SMEs, is not realizing they are a potential target for well-resourced and sophisticated hackers.<\/p><\/blockquote><\/figure>\n\n\n\n

Their arguments run the gamut, from “We don’t have much of a presence on the web” and “We’re just a small player in our industry,” to “Our turnover is small in comparison to our competitors” and “Hardly anyone’s heard of us.” These claims blindly assure SMEs they won’t be victims of a targeted attack and provide them with what they believe are good excuses to not invest more heavily in cybersecurity.<\/p>\n\n\n\n

Don’t forget the supply chain vulnerability<\/strong><\/h3>\n\n\n\n

But all companies — big and small — have customers. And those customers have customers. And somewhere along this chain of relationships exists the hacker’s intended target. The target company probably has strong security controls in place with a dedicated security team monitoring the network for malicious intrusions and suspicious behavior. <\/p>\n\n\n\n

Overcoming these protections is one reason why\u00a0supply chain attacks\u00a0have become a common tactic. Here, hackers use one of their target’s suppliers as a steppingstone to gain access to the main victim’s network. The consequences of this technique mean every company in a supply chain needs to assume they are a potential target and must know how to prevent supply chain attacks by securing their data and networks accordingly.<\/p><\/blockquote>\n\n\n\n

Depending on the nature of the relationship, customers may require potential suppliers to show their cybersecurity strategy meets an acceptable standard and they have effective processes and controls in place to detect, respond, mitigate and recover from breaches and other security events. In fact, many tenders for contracts stipulate that suppliers comply with relevant standards, such as those mandated by\u00a0ISO 27001, PCI DSS, HIPAA and\u00a0ITAR. <\/p>\n\n\n\n

Although obtaining certifications can be quite onerous and time-consuming for smaller companies, it does ensure that IT systems and the data they handle are protected and that employees are aware of their role in keeping data secure.Every company in a supply chain needs to assume they are a potential target and must know how to prevent supply chain attacks by securing their data and networks accordingly.<\/p>\n\n\n\n

Audits and security reports play a crucial role<\/strong><\/h3>\n\n\n\n

A slightly less arduous route for SMEs is to obtain a\u00a0Service Organization Control\u00a02 report, which provides assurances about the effectiveness of controls in place at a service organization, or a\u00a0SOC for Cybersecurity\u00a0report, which covers processes for handling enterprise-wide cyber-risks. <\/p>\n\n\n\n

Audits and reports are completed by an independent certified public accountant and determine if the audited entity is appropriately addressing its cybersecurity risks. If none of these options is affordable, then a self-assessment audit based on SOC 2 is an alternative that some customers will find acceptable.<\/p>\n\n\n\n

A self-assessment audit is best conducted in two stages:<\/p>\n\n\n\n

  1. Adequacy audit.<\/strong>\u00a0This review demonstrates that policies and procedures protecting data and managing information risk are sufficient.<\/li>
  2. Compliance audit.<\/strong>\u00a0This is an\u00a0evidence-based assessment\u00a0of the implementation and effectiveness of policies and procedures.<\/li><\/ol>\n\n\n\n

    By conducting an adequacy audit first, any shortcomings can be corrected prior to the start of the compliance audit. There is no point in checking whether a business unit or system is compliant if sufficient documented policies and procedures aren’t already in place.<\/p>\n\n\n\n

    Once the adequacy audit is completed satisfactorily, the compliance audit can begin. This involves assessing the level of compliance with every mandatory policy and procedure in scope. <\/p><\/blockquote>\n\n\n\n

    It’s important to focus the scope and the audit on areas that will be of importance to customers — for example, location, business unit, system, application or project. Customers will be particularly interested in security controls such as strong authentication, encryption of\u00a0data at rest and data in transit, business continuity plans and\u00a0security awareness training.<\/p>\n\n\n\n

    Not just checking boxes<\/strong><\/h3>\n\n\n\n

    There are a number of other security controls suppliers should enforce to prevent supply chain attacks on their customers and partners, including the following:<\/p>\n\n\n\n