5 supply chain cybersecurity risks and best practices

In some ways, supply chain management best practices in a COVID-19 world are updated versions of what should already have been happening. But the widespread move to remote work is something many leaders have not dealt with before. As an exponentially expanded number of people have begun working from home, endpoints that hackers can exploit have expanded exponentially as well.

“Sustained operations in a supplier’s remote telework environment introduce additional risks As a result, organizations are at risk of unauthorized behaviors on the part of their suppliers’ employees, including losing their devices or having them stolen, downloading sensitive enterprise data without adequate offline protections or introducing rogue applications, files, keyloggers and other persistent threats, Oliver said.

“Remote employees are now using their work devices to surf the web, download untrusted applications or connect through public or home Wi-Fi networks, all before they log in to their companies’ secure networks,” he said.

In addition, when a supplier’s employees work from home, they are often required to use multiple networks, various collaboration tools, and cope with cumbersome overhead processes to manage accounts and commercial cloud products. Additionally, the large variety of devices connected to home networks, such as thermostats, virtual assistants, TVs and even appliances, expand the supply chain cybersecurity risks significantly, he said. These activities create blind spots for organizations and the risks to their ERP and enterprise systems, presenting an opportunity for malicious actors to exploit corporate assets, including supply chain software.

As the world embraces the new normal of working outside the office, technology must evolve to securely maintain access to networks and sensitive data, Oliver said. Cybersecurity attacks, such as phishing scams, spam, ransomware and keyloggers that target supply chains, are rising exponentially as malicious actors take advantage of the current situation to prey on remote workers.

Common security tools, such as virtual private networks and virtual desktop infrastructures, are not enough on their own to effectively protect organizations and mitigate threats, Oliver said. That’s because they rely on the companies’ end-users to follow security policies before and after connecting to secured networks.

The need for better endpoint security is clear.

For example, organizations can do more to try to improve the security of remote workers’ mobile devices and consequently keep bad actors from hacking into the supply chain network, said Matt Wilgus, principal and security practice leader at Schellman Co. LLC, a provider of attestation and compliance services in Tampa, Fla.

Wilgus said his company turned to mobile device management to improve the cybersecurity of its remote workers’ devices “So, basically, if you have an asset that’s being shared, you can say [to the others], ‘Hey, when you log in, you’re going to log in to this side of the system,'” he said.

This keeps users from using devices for work and, for example, homeschooling.

To ensure their supply chains are protected, organizations and their supply chain leaders should also monitor how their remote employees are using their devices, Wilgus said.

“You should have a monitoring policy in place and tell your remote workers, ‘Anything you do while you’re connected to the network is going to be fully monitored,'” he said.