TBRT ECH N O LO G Y B U SIN ESS RESEARCH , IN C.
TBR EVENT PERSPECTIVE
Opportunities evolving from cyber
supply chain security concerns
Boston, March 25–26, 2014
Jane Wright (email@example.com), Senior Analyst and Engagement Manager
Just a few years ago, security breaches were typically enabled by vulnerabilities in the breached organization’s IT
infrastructure. Today, however, many security breaches are the consequence of vulnerabilities in the IT
infrastructures of the affected organization’s business partners, including the wholesalers, retailers, payment
processors and other partners in the organization’s cyber supply chain. This has led to heightened expectations for
strong security controls at cyber supply chain partner organizations, a primary topic of discussion at the
SecureWorld Boston 2014 conference.
Increased focus on cyber supply chain security has altered the way organizations evaluate security solutions and
justify security expenditures. It has impacted the way security vendors and service providers engage with
customers, placed more demands on cloud service providers and created opportunities for auditors and cyber
Cybercriminals traverse supply chain partners’ infrastructures to reach their targets
Depending on the industry, an organization may have hundreds or even thousands of cyber supply chain partners
sending and receiving electronic data such as invoices, catalogs and customer lists. The organization may need to
grant business partners a level of access to its network and applications to operate efficiently. This creates a cyber
supply chain that is critical for organizations to compete in today’s business climate.
Recent breaches demonstrate that an organization may be only as secure as the weakest link in its cyber supply
chain. For example, cyberattackers brought down The New York Times website for two days in 2013 by attacking
the Times’ DNS provider. Another example is the recent breach against the retail corporation Target Corp., which
was initiated when hackers stole credentials from the retailer’s heating and air conditioning provider.
These examples underscore the patience of attackers who take a circuitous route to infiltrate their ultimate target.
Along the way, they drop payloads, steal credentials or set up command and control sites in the partners’
infrastructures until the attackers eventually reach their target and shut down business processes, steal valuable
data and cause other damage.
According to the Cost of Data Breach Study: Global Analysis conducted by the Ponemon Institute and sponsored by
Symantec, the average cost of a typical data breach in the U.S. was more than $5 million in 2013. To minimize the
risk of such losses, organizations require their cyber supply chain business partners provide detailed security
reports on penetration testing, change management and incident forensics or document their adherence to
frameworks from the National Institute of Standards and Technology (NIST) or SANS Institute, or other security
Cyber supply chain risk is familiar to organizations that must comply with regulations such as HIPAA, where
“business associates” must follow certain rules and provide satisfactory assurances. But increased awareness of
attacks on supply chain partners as attackers attempt to damage or steal from their intended targets has
heightened cyber supply chain security concerns at organizations in all industries, including nonregulated
Cyber supply chain concerns impact users, vendors, service providers and other firms
Since security attacks can travel along cyber supply chains, many organizations find they must demonstrate their
security qualifications to earn the right to be in a supply chain and do business with their partners and customers.
Partners and customers are demanding proof that organizations are proficient at deflecting attacks, detecting
insider threats and closing vulnerabilities. In this way, security is tied more closely than ever to the organization’s
As a result, chief information security officers (CISOs) are adding a new criterion to their security purchasing
decisions: the ability of the product or service to help demonstrate the organization’s security strength to its
customers. Security vendors can help CISOs by ensuring that their solutions produce clear and concise security
reports that can be attached to the organization’s business proposals. Professional security service providers are
called on to help organizations pass security audits or adhere to security frameworks, documenting the results in a
format that can be shared with partners and customers.
From a security perspective, cloud service providers are an important partner in an organization’s cyber supply
chain. Even if an organization chooses not to use cloud services, it is likely that one of its cyber supply chain
partners does, and thus a portion of the organization’s data will spend time in a cloud provider’s platform. Cloud
service providers are focusing on security along with other factors, such as availability and ease of implementation,
to ensure that an attack impacting their platform does not ripple to their customers and their customers’ cyber
supply chain partners.
The insurance industry has also been affected by the increased focus on cyber supply chain security. Most general
liability policies will not cover incidents such as denial-of-service (DoS) attacks, so organizations are turning to
cyber insurance companies to write new policies that cover many different forms of attacks. The policies may be
written to protect the covered organization as the first party as well as cyber supply chain partner organizations as
additional parties in the incident.