The coronavirus pandemic was 2020’s biggest disrupter of IT supply chains. And 80% of security breaches occur through the supply chain, according to KPMG.
IT supply chains are sprawling networks that crisscross the globe to generate greater efficiencies, streamlined production, cost savings, innovation and faster delivery of products. Yet they are vulnerable to constantly evolving threat vectors, from hurricanes and pandemics to security breaches perpetrated by nation-states and criminal enterprises.
It is challenging, even among security and logistics professionals, to identify and mitigate threats to critical IT supply chains. The best way to securing the IT supply chain is a process of working with trusted partners to analyze risk and make sound decisions.
Although threats to the security of IT supply chains can never be eliminated, agencies should adopt practices and policies for minimizing their exposure to potential breaches. Frequently, best practices available to agencies and vendors mirror initiatives pursued by high-level security agencies, such as the National Counterintelligence and Security Center. NCSC recently issued a report on supply chain risk management
Stop thinking of supply chains as innocuous pipelines of IT products.
Every supply chain potentially has a Trojan Horse linked to it. Pay attention. NCSC is putting into place new processes “to identify suspect or high-risk vendors, products, software and services that pose a risk to our economic and national security.”
Take action now to strengthen IT security protections that will be required of emerging 5G wireless technology.
Adopt a risk-based approach to supply-chain security. “Threat detection, response, and mitigation tools should be leveraged across all aspects of the lifecycle,” NCSC advised. “These tools and capabilities should be optimized for specific supply chains.”
Buy from IT vendors that have invested resources to develop the most secure IT supply chains.
To improve vendor integrity, NCSC “will create a supply chain risk assessment shared repository, address deficiencies in the federal acquisition process, and seek more streamlined authorities to exclude high-risk vendors,” the report states.
Use AI-based malware defense solutions to expose threats that otherwise could go undetected for months or years.
Advancing detection capabilities on a parallel path, NCSC reported initiatives to “enhance capabilities to detect and respond to supply chain threats … and to develop access to new sources of information and increase the analytic capacity to understand and assess foreign intent and capability to exploit U.S. supply chains.”
Pop the hood on the technology, the manufacturer and the vendor.
Look inside. Does the manufacturer have a trusted computer network? Do they use zero trust principles? Is cybersecurity built into the product or bolted on after the design? Demand original equipment manufacturer (OEM) parts and components and seek out vendors who are committed to using them. “To advance supply chain integrity across the federal government, supply chain security must be elevated to a top priority and be present throughout the acquisition process,” NCSC said.
This article is an excerpt from GovLoop’s recent report, “Eliminate Hidden Risks in the IT Supply Chain.” To learn about ways to find hidden risks in your supply chain and statistics on the growing threat to IT supply chain security, download the full report here.