In Dun & Bradstreet's 2019 "Compliance and Procurement Sentiment" report, respondents cited cybersecurity as their top concern, yet 48% had not integrated associated risks into their third-party risk management. While developing and implementing a supply chain security program can be daunting, it should be the first item on your company's to-do list — with an emphasis on hardware security, which is often given short shrift.
Information security programs typically focus on managing software patches and keeping anti-malware engines and network security gear up to date. As a result, hardware components are often deprioritized, even though they are also vulnerable to advanced attackers and nation-state threats. The manipulation of physical components during building stages or transportation routes is a threat to all physical products. Faulty parts cause recalls, and when the part is relied on by global systems and contains sensitive data, the scale of the potential carnage becomes exponential. Successfully attacking firmware can create a vulnerability that attackers covet because, unlike most software-based attacks that can be fixed by resetting a device back to default, many hardware attacks can survive firmware reflashing or operating system reinstallations.
Threats to the hardware supply chain are not theoretical, and security teams need to develop stronger policies to mitigate supply chain threats and risks. Securing the supply chain needs to happen at various levels — each carrying its own complexities. The first step is ensuring the supply chain is part of your organization's threat model. At a minimum, a good grasp of the risks associated with the supply chain could change your acceptable business risks.
Here are 10 best practices for designing a strong supply chain security program.
1. Perform a ris ..
Support the originator by clicking the read the rest link below.
