Jim Alkove is the Chief Trust Officer at Salesforce, where he’s responsible for enterprise-wide information security and compliance. It’s a familiar headline: Your supply chain may be your biggest cybersecurity risk. And for good reason. Between pressure to maintain business continuity and exceed profits amid inflation and global supply chain issues, organizations across industries have a lot to contend with. This focus elsewhere can lead to threat actors slipping under the radar more easily while also making a big splash.
For instance, beyond the potential exposure of credit card data, we’ve seen a rise in ransomware and nation-state threat activity in an attempt to further disrupt stressed infrastructures. While these challenges are broad, if we approach cybersecurity as a collective whole, rather than as individual organizations, they are not insurmountable.
With that in mind, here are three ways to enhance security throughout your entire ecosystem to help prevent potential cyber-attacks that impact your supply chain.
Start with a minimum security baseline for all third-party vendors.
There are countless reasons why organizations leverage third-party vendors, including cloud providers, integrated shipping services and outsourced customer service. And over the course of the last two years, as companies scrambled to get online quickly, the use of third-party vendors became even more integral to staying in business.
One downside of this increasingly complex third-party landscape, however, is a corresponding increase in cybersecurity risk exposure. A 2021 study found “44% of organizations have had a breach within the last 12 months, with 74% saying it was the result of giving too much privileged access to third parties.” In the past, businesses have been left to their own devices designing and implementing security baselines for vendors. This not only creates headaches for vendors who have to comply with potentially thousands of requirements but also increases errors and potential attacks.
To help solve this challenge, industry leaders such as Salesforce, Google, Okta and Slack teamed up to design the Minimum Viable Secure Product, or MVSP, a vendor-neutral checklist that provides a simple, practical way to establish minimum acceptable security baselines. Even if you only leverage MVSP as a starting point, the hope is that it can enable efficiencies, decrease overhead, enhance trust and raise the bar for security standards across the industry.
Prioritize customer trust.
Trust is a long game. Even with a minimum baseline, it’s still contingent on every organization to develop a robust cybersecurity strategy specific to their company, industry, market and more — one that nails the basics while investing in security innovation to stay ahead of bad actors who are getting more sophisticated every day.
According to the 2020 Verizon Data Breach Investigations Report, 37% of credential theft breaches used stolen or weak credentials, making it clear (if it wasn’t already) that passwords alone are no longer enough to secure customer data. But there are ways to up your security posture against credential attacks, including patching vulnerabilities on a regular basis and ensuring any third-party software is up to date. Enforcing multifactor authentication is also one of the best ways to provide sufficient safeguards against unauthorized account access, both for employees and customers.
Remember, it’s important to not only focus on what’s legally required from a disclosure perspective but what’s required from a trust perspective. Every company should look at their security strategy with the lens of “what do our customers expect” and work to achieve, if not exceed, that.
Be prepared and stay vigilant.
Cyber attacks are still a matter of “when,” not “if,” and it’s important to make sure your entire team — including third-party vendors — is on alert and knows what to look for. In preparation, a strong security awareness program can make a critical difference in maintaining trust with your team and your customers.
You might also consider increased fraud protection measures, running proactive checks of all your systems for potential loopholes and reviewing account privileges regularly. In addition, prepare your customer service team to be on the lookout for anything suspicious and come up with a plan for “just in case” you need to run any security updates that could affect your availability.
Cybersecurity is a team sport. That means working holistically with your team and your vendors to ensure you’re protecting customer privacy and data. While there will always be some degree of risk for every business, making a proactive investment in your supply chain security posture can help turn the odds in your favor.