Third party vendors and digitally connected supply chains provide significant operational and cost efficiencies. But they also expose businesses to
significant data security risks as sensitive data leaves your protected network. A recent report revealed more than 60% of all data breaches were from third-party vendors.One of the primary breach points is open doors within your video security and access control platforms. If
you are currently providing services as a supply chain vendor your number one responsibility to your clients should be locking down your video security and access control platforms, completely securing these devices..95% of all video security and access control devices and software come from China. China is the number one nation state cyber risk to American data, intellectual property and.research and development.With most CCTV ecosystems, each device may require 3 ports to be open for remote connectivity. The average supply chain vendor may have 20 cameras. Totaling 60 breach points if not properly locked down. Below are some risks and questions you should be addressing if you are in this category.
Key Cyber Supply Chain Risks
» Third-party service providers or vendors with physical or virtual access to information systems, software code, or IP.
» Poor information security practices by lower-tier suppliers.
» Compromised software or hardware purchased from suppliers - Access Control-Video Security .
» Software security vulnerabilities in supply chain management or supplier systems.
» Counterfeit hardware or hardware with embedded malware.
» Third-party data storage or data aggregates
If critical business functions are being outsourced, they become a single point of failure in determining your effectiveness. This makes applying a security process and security fundamentals to areas that are beyond your control, but not beyond your influence, essential to empowering your organization.
Our Question To You as a Supply Chain Vendor
»What kinds of legacy defenses do you have in place, such as firewalls, anti-virus, and intrusion detection & prevention?
»What encryption standards do you require for both data in transit and data at rest?
» Has there ever been a significant cyber breach in the past?
» If so, what was the cause and are there recovery time objectives?
» What resilience measures are in place to prevent similar events from happening again?
» How do you vet new hires? Upon termination, what protocols are enacted to ensure access paths and credentials are revoked?
» Who and how many employees will have access to my data?
» What types of preventative and detective physical security controls are implemented at this location, such as barriers, alarms, cameras, and intrusion detection?
In the world of data loss, the word "prevention" does not exist. Over a very short period of time, preventative measures are defeated by bad actors. Also, most outsourced IT firms are not actively watching threats associated with your network. They are not dedicating that amount of time to your systems. Think about how long it takes them to fill a service ticket on the system. If they are not quick in response to a punch list item how are they monitoring multifaceted threat engagement. They are ignoring the "flashing red lights". Having said that, we suggest the only definitive measure that will guarantee that your "security" is not your open door.
Create a completely separate network for the security platforms.The threat reduction is greatly reduced by getting these systems off of your day to day network. Reducing potential data loss, trade secrete theft as well as items being stored on your network from offsite being retrieved later by the bad actors.
Vet Your Security Firm. Make sure they are cognitive of the type of equipment they are using and the degree of threat in regards to the equipment type and where it is sourced. Or are they just selling you the product with the most return on their end.
Change all default ports and passwords. Make sure all of the default settings, ports and passwords are changed before any of the equipment goes active online. This is not a surefire method but it is a measure that is crucial to being proactive. At best it will make it a little more time consuming to breach the security network to find that is a singular device with nothing to exit into.
If you have any questions or if you would like breach and probing assessment we can be contacted at 469-520-5999 or you can schedule a call on our calendar here: https://calendly.com/dnasecurity