Opportunities evolving from cyber supply chain security concerns
JUL 30, 2014 02:22 AM
A+ A A-

TBR Perspective

Just a few years ago, security breaches were typically enabled by vulnerabilities in the breached organization's IT infrastructure. Today, however, many security breaches are the consequence of vulnerabilities in the IT infrastructures of the affected organization's business partners, including the wholesalers, retailers, payment processors and other partners in the organization's cyber supply chain. This has led to heightened expectations for strong security controls at cyber supply chain partner organizations, a primary topic of discussion at the SecureWorld Boston 2014 conference.

Increased focus on cyber supply chain security has altered the way organizations evaluate security solutions and justify security expenditures. It has impacted the way security vendors and service providers engage with customers, placed more demands on cloud service providers and created opportunities for auditors and cyber insurance companies.

Cybercriminals traverse supply chain partners' infrastructures to reach their targets 

Depending on the industry, an organization may have hundreds or even thousands of cyber supply chain partners sending and receiving electronic data such as invoices, catalogs and customer lists. The organization may need to grant business partners a level of access to its network and applications to operate efficiently. This creates a cyber supply chain that is critical for organizations to compete in today's business climate.

Recent breaches demonstrate that an organization may be only as secure as the weakest link in its cyber supply chain. For example, cyberattackers brought down The New York Times website for two days in 2013 by attacking the Times' DNS provider. Another example is the recent breach against the retail corporation Target Corp., which was initiated when hackers stole credentials from the retailer's heating and air conditioning provider.

These examples underscore the patience of attackers who take a circuitous route to infiltrate their ultimate target. Along the way, they drop payloads, steal credentials or set up command and control sites in the partners' infrastructures until the attackers eventually reach their target and shut down business processes, steal valuable data and cause other damage.

According to the Cost of Data Breach Study: Global Analysis conducted by the Ponemon Institute and sponsored by Symantec, the average cost of a typical data breach in the U.S. was more than $5 million in 2013. To minimize the risk of such losses, organizations require their cyber supply chain business partners provide detailed security reports on penetration testing, change management and incident forensics or document their adherence to frameworks from the National Institute of Standards and Technology (NIST) or SANS Institute, or other security frameworks. 

Cyber supply chain risk is familiar to organizations that must comply with regulations such as HIPAA, where "business associates" must follow certain rules and provide satisfactory assurances. But increased awareness of attacks on supply chain partners as attackers attempt to damage or steal from their intended targets has heightened cyber supply chain security concerns at organizations in all industries, including nonregulated industries.  

Cyber supply chain concerns impact users, vendors, service providers and other firms

Since security attacks can travel along cyber supply chains, many organizations find they must demonstrate their security qualifications to earn the right to be in a supply chain and do business with their partners and customers. Partners and customers are demanding proof that organizations are proficient at deflecting attacks, detecting insider threats and closing vulnerabilities. In this way, security is tied more closely than ever to the organization's business goals.

As a result, chief information security officers (CISOs) are adding a new criterion to their security purchasing decisions: the ability of the product or service to help demonstrate the organization's security strength to its customers. Security vendors can help CISOs by ensuring that their solutions produce clear and concise security reports that can be attached to the organization's business proposals. Professional security service providers are called on to help organizations pass security audits or adhere to security frameworks, documenting the results in a format that can be shared with partners and customers.

From a security perspective, cloud service providers are an important partner in an organization's cyber supply chain. Even if an organization chooses not to use cloud services, it is likely that one of its cyber supply chain partners does, and thus a portion of the organization's data will spend time in a cloud provider's platform. Cloud service providers are focusing on security along with other factors, such as availability and ease of implementation, to ensure that an attack impacting their platform does not ripple to their customers and their customers' cyber supply chain partners.

The insurance industry has also been affected by the increased focus on cyber supply chain security. Most general liability policies will not cover incidents such as denial-of-service (DoS) attacks, so organizations are turning to cyber insurance companies to write new policies that cover many different forms of attacks. The policies may be written to protect the covered organization as the first party as well as cyber supply chain partner organizations as additional parties in the incident.


According to a number of presentations at SecureWorld Boston 2014, attacks that navigate through cyber supply chains have increased requirements for organizations to demonstrate security maturity to their cyber supply chain partners. This has contributed to the changing view of security within the organization from overhead (a necessary expense to protect the organization's investments) to a business benefit that can be promoted to help drive revenue. Now when organizations set their competitive strategy around a differentiator, such as lowest price or highest quality, they may strive to add "most secure" to their list of strengths. Security vendors and service providers that offer products or services that help organizations quickly and easily document their security posture will be best positioned to support organizations in the increasingly connected business environment. 

[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment:

Computing Now Blogs
Business Intelligence
by Keith Peterson
Cloud Computing
A Cloud Blog: by Irena Bojanova
The Clear Cloud: by STC Cloud Computing
Computing Careers: by Lori Cameron
Display Technologies
Enterprise Solutions
Enterprise Thinking: by Josh Greenbaum
Healthcare Technologies
The Doctor Is In: Dr. Keith W. Vrbicky
Heterogeneous Systems
Hot Topics
NealNotes: by Neal Leavitt
Industry Trends
The Robotics Report: by Jeff Debrosse
Internet Of Things
Sensing IoT: by Irena Bojanova