In today’s data-driven world, businesses view data as a crucial business asset. Companies gather growing volumes of information from increasingly diverse data sources. Coupled with distributed and complex IT environments, this interwoven data landscape presents cyber threats through data supply chain risks.
A statistic exemplifying data supply chain risks is that 45 percent of data breaches occur in cloud computing systems, many of which aren’t owned by the companies that use them. The cost of a data breach stored in public cloud systems is $5.02 million, which is higher than the average breach cost of $4.35 million.
The use of cloud computing for data storage or analytics is but one cog in the machine that is a modern data supply chain. This blog post provides nine actionable steps to strengthen data supply chain security.
What is a data supply chain?
A data supply chain is a network of inputs and outputs that characterize the flow of data across a company to realize its value for specific purposes.These supply chains include the external sources from which data flows into a business and the external systems on which companies often store their information assets for later use. Businesses, vendors, partners, and resellers work closely together in the modern information ecosystem and frequently share private information across their data supply chains.
Data supply chain threats
Data supply chains face many cybersecurity threats. Bearing in mind that businesses often put the data they gather to use by feeding it into various software applications, flaws in those applications can put important data at risk of breach. For example, hackers could insert backdoors into third-party open-source or proprietary applications or components, giving them direct access to any data you feed into those systems or indirect access to data used within other applications (see Solarwinds).
Another potential threat comes from data collaboration strategies. Your business might collaborate with a partner to gain more insight into a market or identify a merger/acquisition opportunity. This collaboration involves sharing information with another party, and a security breach of their systems could see your company’s private information compromised.
Consider also how data supply chain threats can come from unauthorized access or misconfigurations that leave data exposed in external systems. Leaky cloud storage buckets are often left publicly exposed without any access controls. Contractors or partners with access to your company’s private GitHub repository could unintentionally expose secrets, including proprietary code or databases. Big data pipelines leveraging distributed cloud systems may have security weaknesses.
The data supply chain threats outlined above are just a small sample of what’s possible. With that in mind, here are nine actionable steps to strengthen the security of your data supply chain and preserve the confidentiality of what is arguably your most crucial business asset.
1. Map out the key parts of the supply chain
The first step in securing your data supply chain is to understand it. While this sounds like a complicated undertaking given the complexity of digital ecosystems, it’s not mission impossible. Returning to the definition of the data supply chain as the network of inputs and outputs that characterize data flow, it’s feasible to map out this set of inputs and outputs.
Part of the task is to identify all partners, subsidiaries, and other external sources from which data flows into your company. It is also necessary to identify all the systems and applications into which you feed data or store it for later use, including both internal and third-party systems or apps. Lastly, you must identify all sensitive data sources because this information requires extra protection.
With key supply chain elements mapped out, you stand a better chance of fully addressing the breadth of potential data supply chain risks.
2. Choose ‘secure by design’ with software development
Software security is central to managing data supply chain risks. Today’s businesses often develop in-house applications using external open-source components that provide ready-made functionality.
Security flaws, malware, or backdoors in third-party code can easily lead to data breaches unless your development teams adopt a secure-by-design approach. This approach means designing an application’s functionality with cybersecurity in mind from the outset. You’ll need to shift security left and incorporate static and dynamic tests, software composition analysis, container security checks, and more.
3. Create agile infrastructures that can respond to change quickly
With tighter regulations governing data privacy worldwide, modern data-driven operations and data supply chains come with increasingly challenging compliance concerns. Breaching privacy regulations impact businesses financially, legally, and reputationally. So carefully considering how and where data is stored and shared and with whom is critical.
Agile infrastructures that can quickly respond to changing or new privacy regulations are becoming more critical for supply chain security. An important concept is privacy engineering, which incorporates privacy into the core of system infrastructures, products, and business operations. When privacy is baked into infrastructure, your business can more easily adapt to changing compliance needs and mitigate threats.
4. Develop clear cyber security requirements in procurement contracts
Clear wording in any procurement contract about cybersecurity requirements can save a lot of hassle down the line regarding data security risks. These contractual stipulations should specify a minimum level of measures that any vendors or partners take to ensure their systems and software are secure. With these cybersecurity requirements baked into contracts and a way of being able to visualize data flows, you can feel more confident in the secure flow of data along your supply chain to external entities.
5. Beware of dependency confusion attacks
The risks to data supply chains from vulnerabilities in external code don’t stop at just the application level or at the components that an application directly depends on. Remember that each dependency itself often depends on other components so that the chain of trust required stretches back multiple levels.
A relatively novel supply chain risk to be aware of is the dependency confusion attack. This type of attack exploits package managers, which development teams use to automate installing and updating dependencies.
Some package managers check public repositories before private ones for dependencies. If a malicious outsider finds out about the dependencies in an application, they can insert malicious dependencies into public repositories with identical names to the private version. When the package manager retrieves the malicious public dependency, the application can be compromised, and your data is at risk.
6. Set up secure data transfer processes
When you think of a supply chain, you probably think of many moving parts. Within a data supply chain, it’s the data that moves around. Whether this means providing third parties information so they can deliver services or exporting data to ERP software, data is always on the move.
Secure data transfer processes include using encryption for data in motion and putting in place a solution for mapping and following the actual and potential flows of data along your data supply chain.
7. Perform penetration and vulnerability testing on partners
Expanding the scope of penetration testing or vulnerability testing engagements to various partners and other parties in your data supply chain can provide visibility into weaknesses and vulnerabilities you never would’ve known about. This requires approval from those parties, which can be outlined as part of contractual obligations.
8. Train employees to be alert to changes and inconsistencies
Developing an overall company culture of cyber-aware employees is one of the best ways to mitigate data supply chain risks. Effective cybersecurity training and awareness programs can educate users on the value of business data, its many cyber threats, and how to recognize the signs of common cyber attacks, including suspicious emails, inconsistencies in system configurations, and more. Fully automated awareness solutions are now available to make awareness faster and more effective.
9. Use network-level scanning, behavioral analysis, and intrusion detection
Not every defensive measure is guaranteed to keep threat actors from breaking into your IT environment. Network-level scanning tools can try to spot intruders who have bypassed perimeter defenses and are actively seeking to exfiltrate data. Often, the signs of intrusion are subtle because threat actors are sophisticated; behavioral analysis and dedicated intrusion detection solutions can assist here.
Protect supply chain data with Polar Security
Data security has many risks as information flows along the complicated supply chains that exist in a data-driven world. While these supply chains help businesses get more value from data, they come with ever-increasing threats. Following the steps outlined here helps to strengthen security at key points on your data supply chain.
Polar Security changes the game by automatically mapping, classifying and following your data to provide deep visibility and protection across the data supply chain. Polar’s Data Security Posture Management platform provides comprehensive visibility into data you didn’t even know existed within your supply chain and accelerates data protection with pre-emptive sensitive data security and compliance controls automatically and continuously applied.