It’s been nearly three years now, yet few of us have forgotten the 2020 Solarwinds security breach that impacted nearly 33,000 clients.

The breach occurred when bad actor hackers managed to install deadly malware into a software update that Solarwinds issued to clients. The malware code embedded in the software update opened a backdoor into clients’ IT systems enabling hackers to spy on companies and organizations.

The irony of the situation was that Solarwinds’ business was network and IT infrastructure solutions, where security certainly was top of mind. I remember thinking that if a network and infrastructure company like Solarwinds could be inadvertently compromised and potentially pass a malware infection into all its 33,000 clients, what might the risk be for an organization in a corporate supply chain where security isn’t top of mind -- like a pallet supplier to a lumber company?

Supply chain security management is an IT issue that goes far beyond the suppliers and business partners that IT itself uses.

The first place to look is purchasing.

Most corporate supply chain decisions are made in purchasing, which determines sourcing for an assortment of goods needed to sustain the business or to make products.

Purchasing’s supplier decisions are focused on least cost and best fit components. It also looks at timelines to deliver and supplier product quality records.

What it may not look at is the security strength of suppliers’ internal systems and practices.

Unfortunately, even the most security-hardened enterprise can experience a breach if a supplier passes malware into its network.

How IT Can Get Involved

IT can do several things to build and maintain security in the corporate supply chain.

1. Define supply chain security as a risk management issue

Company revenue streams, intellectual property, product development and financial health are all risk management issues that are regularly reviewed at the board level. In recent years, CIOs have also succeeded in adding corporate security to the risk management list. However, in most cases, vetting suppliers for rigorous security policies and practices as a condition of doing business has lagged.

Suppliers that provide nuts, bolts and engines should be as rigorously security vetted as those that provide databases and cloud-based information. When general supplier security is added to the risk management list, IT has a way to begin visits and collaborations with purchasing and other company departments that procure goods and services from the outside.

2. Add security to supplier RFPs

When purchasing and other company departments go out to suppliers for bids, they often present requests for proposals (RFPs) as part of the process. These RFPs query prospective suppliers about product specifications and quality, ability to deliver certain quantities on time, pricing, etc. -- but one of the screening criteria often absent from these RFPs is security. Security of systems and internal practices should be added to supplier RFPs as part of the supplier qualification process. This is where IT and purchasing can work together, with IT assisting with security evaluations.

3. Periodically audit suppliers

When I visited with a major transportation company a couple of years ago, they told me about a supplier security vetting and follow-up process they developed. On a random, periodic basis, they audited supplier security. Some suppliers, primarily mom and pop shops, had scant security and little security awareness. The company also worked with larger supplier organizations, providing consulting and guidance to them so they could harden their security.

Not every company can afford to do this, but it does make sense to periodically reaffirm supplier security compliance, even if they passed the security criteria on your initial RFP.

4. Perform supplier risk management that includes security

Some suppliers will have more robust security than others. There are also suppliers in geopolitical circumstances which inherently make them riskier to do business with, and more subject to security breaches.

Many enterprise purchasing and financial departments already perform risk assessments of their supply chain vendors. These risk assessments pose questions like: What happens if a mission critical supplier suddenly can’t deliver the parts that we need? Or which areas of the world are must likely to experience a disruption of transport? As part of corporate risk management, many CIOs have already brought up the vendor supply chain at the board level. A logical next step is to add regular risk assessments of suppliers in areas of safeguarding data and intellectual property.

5. Verify supplier authorizations

For every supplier that is a part of your supply chain, there will be an assortment of personnel who will access your systems, and for different reasons.

A shipping manager at the supplier might want to look at delivery dates and update status on widgets that are getting ready to be shipped to you for your machines, while an engineer at the same supplier might need to reference engineering drawings. The shipping manager doesn’t need access to engineering drawings, yet there are cases where the supplier shares access credentials with more personnel than it should.

IT can play a major role in authorizing and issuing credentials with different levels of permissions to supplier personnel. IT should also work out processes with each supplier so it can be made immediately aware of personnel changes, departures, etc., at the supplier, so access credentials can be quickly modified or removed.

6. Move to a security mesh concept

There are global companies with hundreds of thousands of suppliers in their supply chains. The end-to-end supply chain may span several different clouds, as well as on-premises data centers. In this heterogeneous environment, IT must be able to follow each end-to-end transaction with security logging and monitoring. End-to-end monitoring can’t be done unless a security framework or mesh is in place that is capable of monitoring transaction flows between multiple cloud and on premises systems. SASE (secure access service edge) solutions can help in this endeavor -- but the process beings in IT itself, where a comprehensive and holistic security framework that encompasses every IT flow and touchpoint of the enterprise should be developed.

What to Read Next:

Improving End-to-End Supply Chain Resiliency

Predictive Maintenance on the Edge: Mitigate Supply Chain Issues

Future-Proofing Supply Chains: 4 Tips For Company Leaders