How Secure is Your Supply Chain?

One of the major themes in cyber security in 2018 was supply chain attacks.  Forbes recently reported that attackers have been looking for new ways to compromise their targets because many companies have implemented better internal security controls.  Attacking suppliers and partners has proved to be very effective.  Many companies have been successfully attacked through their POS payment systems.  Others have had sensitive employee data stolen from their payroll and benefits suppliers. Sadly, there are numerous other examples.

If we want to reduce our supply chain risk, we need to pay significant attention to our suppliers and partners.  But let’s be realistic — most businesses don’t have the resources to fully vet all of their suppliers.  To have the biggest possible impact with available resources, we need to take a risk-based approach.  We need to prioritize the vendors that have the most potential impact on our businesses.

Which Vendors Matter Most?

Make a list of your vendors and partners, and consider each vendor against these questions:

  • Does the vendor have access to sensitive data like payroll, regulated personal information about customers, financial or trade secrets, etc.?
  • Does the vendor have unescorted physical access to your facilities?  Vendors such as building managers, HVAC contractors, burglar alarm vendors, and outsourced IT partners may have physical access.
  • Is the vendor’s product or service essential to a critical business process?
  • Does the product or service affect a high-risk or highly-regulated business function?
  • Do other vendors provide the same (or similar) products and services, or is this firm’s product truly unique?

If you answered “yes” to one or more of these questions, then you should look carefully at the firm’s security.

What Should Businesses Do to Protect Their Supply Chains?

Here are a few ideas for reducing the risk of supply chain attacks on your business:

  1. Ask your suppliers how they will protect your data or your facilities.  Many vendors will be happy to give you a high-level overview of their security and compliance programs.
  2. Ask your suppliers for evidence of any third party audits of their security and compliance programs.  Many vendors hire auditors to review their compliance, and will provide you with a summary audit report upon request.  Not only can these reports give you confidence in the supplier’s security, they often contain a list of controls that customers need to have in place when working with the supplier.
  3. Limit your vendor’s access as much as possible.  Only give them access to the data, systems, and facilities that they absolutely must access to perform their roles.
  4. Ask your legal advisor to review your contracts to make sure they have appropriate security-related terms and conditions.  For example, a contract might require the vendor to notify you promptly when they have a relevant security incident.  Similarly, the contract might address liability for security breaches.
  5. When purchasing sensitive products (e.g., POS payment systems) or services (e.g., outsourced payroll), consider hiring a security consultant to help you evaluate the available products from a security perspective prior to making your purchase.

After a tough year of supply chain attacks in 2018, let’s make 2019 the year of supply chain security!

Components of a Small Business Security Program

Security expert Bruce Schneier was once quoted as saying that a sufficiently “motivated, funded, and skilled” hacker will eventually find a way to break in.  If that is true, what should we do to protect our businesses?

Security is More than a Firewall and Anti-Virus

It is easy to fall into the trap of believing that up-to-date security products like firewalls and anti-virus software are enough to keep you safe.  These products are important, but they are definitely not enough to protect you on the internet in 2018 and beyond.

Security WarningAttackers who have motivation, money, and skills are also creative and persistent.  They might try the easy way in at first, but they are prepared to work harder to find a way inside your network if necessary.  For example, the attackers who breached Target in 2013 did not directly breach one of the company’s systems; instead, they got in through an HVAC contractor.  In another example, a payroll processing firm was breached, potentially affecting hundreds of thousands of employees from thousands of small businesses.

The key to protecting yourself is to have a holistic security program that includes controls based around people, process, and technology.  Your people need to be informed and know what to do.  Your processes need to be designed with security and resilience in mind.  And your technology needs to be up-to-date and implemented effectively.

What Does a Holistic Security Program Look Like?

The National Institute for Standards and Technology (NIST) has published guidelines for small business security programs.  In their documents, NIST recommends that a security program consist of five components:  Identify, Protect, Detect, Respond, and Recover.

  • NIST security cycleIdentify: know what systems, data, people, and partners are a part of your network.
  • Protect: put controls in place that help protect your systems and data from attacks.
  • Detect: have a way of finding out quickly if your systems are under attack or have been compromised.
  • Respond: have a plan for how you will respond to an attack when it happens, and test the plan so you are ready to implement it in a crisis.
  • Recover: have a way of getting your systems and data back online after an attack so you can resume normal business operations.

The Need for Balance

If you put too much emphasis on a single component then you will be ill-prepared for when that component fails.  In one example, a small software company called Code Spaces was put out of business by a cyber attack.  The company bragged that it had excellent backups, but it apparently did not have an effective plan for recovering after it lost its data in the attack.  The result was that the company had to shut down completely.

A balanced approach that includes effective controls in each of the five components can be a more effective approach to security. Pinnacle can help you create a balanced, holistic security program tailored to your business and your risks.  Let us know how we can help!

In 2019, we will take a deeper look at each of these five components.




Is Your Data Toxic?

Data Can Be PowerfulData is one of the transformational characteristics of the internet age.  Compared to just 10 years ago (let alone to 20+ years ago!), data is cheap and easy to gather.  It is the lifeblood of many businesses, from the largest technology companies to the smallest service firms.  Here are a few examples of how companies are using data to transform their services:

  • Retail businesses capture data about their sales to determine which products to stock and in what quantities, where to place them in the store, and how to price them. Leading companies are able to do this continually and can even automate their ordering based on their actual sales volume.
  • Doctors and medical researchers use data, including information about medicines, treatments, and the patient’s own DNA to provide personalized treatments to their patients.
  • Insurance companies offer their customers discounts for putting motion trackers in their vehicles.  These trackers collect data about speed, distance, and acceleration to help the insurance company more accurately predict the likelihood that you will get into a crash, so they can give you a more customized price for your auto insurance.
  • Local governments frequently use license plate readers to identify the vehicles passing through an intersection or under a bridge.  This data can help local policy respond more effectively to AMBER Alerts or help authorities customize the timing of red and green lights to optimize traffic flow.
  • And so many more!

If data is so great, what is the downside?

Although data can be incredibly powerful, it can also be dangerous.  Some of the data you collect may be sensitive — credit cards, health records, financial transactions, trade secrets, etc.  Businesses have a responsibility to protect that data, both for the good of the business and to protect their customers and business partners.

ClutterHaving too much data can also create real inefficiencies in your business.  For example, you may have so many documents that you are unable to find the right one.  You also have to pay to store and backup all of your data, whether the data is useful or not.

If your company is the victim of a security breach, any data that you possess could be made public or used by your competitors or rivals.  This could be very costly for your business — you could face legal, regulatory, financial, and reputational consequences.  The more data you have, the greater the consequences you could face resulting form a breach.

Trash CanWhat can businesses do to minimize the risk?

There are numerous controls that we can put in place to protect our sensitive data, including encryption, two-factor authentication, role-based access control, and more.  However, there is another control that many businesses forget about — just delete it.

This is not to suggest that you just start deleting data without further thought — you need a plan.  Many leading companies have data retention and destruction plans to help protect them.  You can create a data retention plan for your business.  Here’s how:

  1. Make an inventory of the types of data you have.  Examples include engineering designs, product plans, employee records, and accounting data.
  2. Determine what business purpose the data serves (e.g., to forecast sales, to pay employees, to meet a regulatory requirement, etc.).  Data that serves little or no business purpose is a candidate for deletion.
  3. Estimate how long the data will still be valuable (e.g., historical sales data may lose most of its value after several years, the law may require that you keep accounting data for a specific period of time, etc.).  Data that is no longer valuable (and is not required for legal or regulatory purposes) is a candidate for deletion.
  4. Review the list of data you think you can delete with your financial and legal advisors.
  5. Draft a data retention policy.  This is a simple document that describes the types of data your business maintains, how long it must maintain the data, and the frequency of deletion.
  6. Pick a method for deleting unnecessary data that supports your data retention policy.  For example, you could do it manually once every quarter, or you could acquire a tool that will automatically delete aged data on a recurring schedule.

By eliminating data that your business no longer needs, you can realize several benefits:  reduced storage costs, increased employee efficiency, and reduced impact from a data breach.  Three wins from a single change is pretty good!