Supply-chain cybersecurity attacks aren’t new, but they’re far from being under control.
A recent study from Resilience 360 found that there were nearly 300 cybersecurity incidents impacting supply-chain entities in 2019. With the average business sharing data with more than 500 third parties, it’s no wonder that the Ponemon Institute reports that roughly 61% of U.S. companies have experienced a data breach within their supply chains.
While geopolitical tensions drove a wide swath of those attacks, 2020 has given way to a perfect storm of opportunity, as COVID-19 has forced a large portion of the global workforce to move to remote work. Organizations from governments to businesses must take responsibility for protecting the data they process and share. With collaboration so crucial to sustaining innovation and productivity, this must be done without stifling the flow of ideas and information, or making systems and processes unworkable.
As COVID-19 hit the U.S. with force in the first quarter of this year, organizations responded by moving employees to remote work nearly overnight. As of June, 2020, an incredible 42% of American workers were conducting business remotely from home and migrating offices. With a highly mobile workforce, and supplier ecosystems that are becoming increasingly complex and globally dispersed, the threat to intellectual property and classified or sensitive information intensifies.
Project teams use mobile and cloud platforms daily to share and store data, potentially exposing it to access by unauthorized users. It’s also being physically carried outside the organization on smartphones, removable hard drives and USB storage devices which are prone to theft and loss. Within this context, data is constantly crossing the boundaries of companies and nations. There’s no longer a clear perimeter to defend.
While deliberate hacks are now commonplace, one of the biggest threats to security remains the theft, loss and misuse of data on the move. Research from Apricorn in 2018 noted that 29% of organizations surveyed had suffered a data breach as a direct result of mobile working. The same research conducted in 2020 shows that more than half of respondents still believe that remote workers will expose their organization to the risk of a data breach.
Further, recent research from Digital Guardian shows a 123% increase in the volume of data downloaded to USB media by employees since COVID-19 hit, suggesting that teams are using removable storage to take home large volumes of data. Unless these devices are encrypted, it’s only a matter of time before we see a spike in data breaches associated with remote worker vulnerability.
A data-centric, policy-based approach to security will protect the information itself, inside and outside an organization’s central systems, both on the move and at rest, while enabling safe communications. The answer lies in a multi-layered approach combining people, process and technology.
Start from within. Security isn’t just about technology solutions. Security awareness training and engagement programs need to extend to partners’ and contractors’ teams. Your goal here is to make all employees aware of the value and risks associated with data, and to both define and reinforce their role in protecting it.
Additionally, put data-security best practices in place, and manage enforcement of them. You can give your organization an advantage by creating practices and policies for how to interact with and secure data. By outlining and enforcing best practices for your team and supply chain, you help to build a culture of accountability.
Think of data in terms of a lifecycle. Having created best practices for working with and securing data, organizations should conduct a comprehensive audit, covering:
- What kind of data is held, and for what purpose;
- Who has access to that data;
- Where does the data flow, and
- How it’s currently controlled.
This will make it easier to spot areas of non-compliance, pinpoint where data may be unprotected, and identify technologies, policies and processes that can minimize risk exposure.
Enforce security. Set a strategy that includes the documenting and enforcement of policies that control how sensitive data is handled and used, and which are extended to all endpoints, including partners and contractors. Encryption must be a key element of the strategy. If a removable media device ends up in the wrong hands, encrypted information will be rendered unintelligible to anyone trying to access it.
Especially in the “new normal” of remote working, it’s imperative that IT departments research, identify and mandate a corporate-standard encrypted mobile storage device, and enforce its use through whitelisting policies. The device should be pre-configurable to comply with security requirements, such as password strength.
And, because we’re talking about the supply chain, requirements should be written into third-party contracts — setting out, for example, the tools and technologies that must be used, and when they should be updated. Organizations might take an even more proactive approach and set these requirements into the request for proposal (RFP) process, so that expectations are set before a third party is chosen.
Measure, monitor and report. For IT and security teams, the saying “You can’t manage what you can’t measure” is especially apt. The ongoing auditing of compliance, both within the organization and across the supply chain, provides rapid visibility of policy violations, so that they can be addressed through training or disciplinary procedures. Monitoring will also provide a detailed audit trail that allows the organization to demonstrate its compliance position, as well as an accurate record of any non-compliant user behavior.
A combination of technical and organizational measures can help to reduce risk exposure in the supply chain, while allowing the safe exchange and mobility of information as we continue to work from home. Businesses that control their data appropriately can protect confidentiality, national security and their own reputation without compromising efficiency, agility or their competitive edge.
The ever-expanding supply chain, coupled with dramatic changes in how and where we work, means that organizations have to continually focus on third-party security. By creating a strategic data-security plan that audits and measures along the way, with an emphasis on employee awareness and training, we can secure our supply chains despite the elimination of physical borders.
Jon Fielding is managing director at Apricorn, a manufacturer of hardware-encrypted USB data storage devices.