Mitigating Third-Party Identity Security Risks in Supply Chains

The Fourth Industrial Revolution, the abashed need for speed in innovation, and the transformation of the modern workforce are fueling new heights in customer expectations while simultaneously bringing companies into unchartered cybersecurity territory. 

Manufacturing, utilities, government entities, food product, and retail industries are just a few sectors that have a heavy reliance on massive global supply chains. To be successful, many organizations have provided their supply chain with access to their facilities, data, and systems. In many cases, the access is the same as they grant to regular employees, in some cases it’s even more privileged. And this is just the human workers. As a result of digital transformation and Industry 4.0 initiatives, many organizations are now granting, almost exclusively, privileged access to a host of “non-human” workers like RPA, IoT devices, and bots. But as this access grows, identity, security, risk, and procurement leaders know so does their attack surface.  The issue is two-fold; not only is the total number of third-party users growing – in fact, in some cases exponentially outnumbering regular employees, but the complexity of the population types is unchartered territory.   

Adding an additional layer of complexity is protecting the organization from the third-party users of their third parties meaning forth to nth-party identities are often being given access without the organization’s knowledge. The problem is that while most organizations are able to grant access many are not managing the identity lifecycle or risk of these users.  Bad actors have identified this chink in the armor and are actively targeting these third parties as the weakest link to launch cybersecurity attacks. In fact, “indirect attacks against weak links in the supply chain now account for 40% of security breaches,” according to Accenture’s State of Cybersecurity Report.  While there are many efforts underway to improve the operational efficiency of granting access to third-party users, oftentimes deactivating access in a timely manner is an afterthought. The area of this unchartered territory is really how the identity lifecycle of non-human workers should be managed and by whom. 

If you are facing these topics at your organization and would like to read more on best practices, our latest white paper outlines the types of internal and external threats, how to reign in unmanaged third parties, and establish an identity-centric risk and access management system for your organization.       

Some supply chain challenges may include: 

• Duplicated identities for supply chain third-party non-employees  
• Orphaned accounts 
• Lack of identity sponsorship which manages human and non-human account access  
• Inability to granularly risk rate each identity for an overall risk profile of the vendor supply chain.  
• Lack of capabilities to prove that the person logging in is matched to that identity 
• Manual onboarding, offboarding, and lifecycle processes that rely on manual and error–prone methods 
• A reliance on a Vendor Management System that does not consider risk, access, or identity management.    
• Ability to audit what supply chain vendor has what type of access or even able to provide an inventory of human, or non-human, supply chain non-employees 

 

View the guide now to learn more about supply chain weaknesses and how to build an identity solution to secure them: Securing the Supply Chain from Identity Risk: Growing Supply Chains Require Careful Identity Governance