Tips for Preventing Supply Chain Attacks

February 25, 2019 Schellman Compliance

Defining your company's security requirements and having a cyber-risk management program to evaluate third-party services can reduce the risk of attacks on supply chain software.

Increasingly, hackers are using more sophisticated methods to attack companies' supply chain management software, ultimately disrupting operations and wreaking havoc on their networks.

Although there are steps organizations can take to minimize the damage caused by supply chain attacks, as well as to shore up defenses after attacks, the smartest option is to prevent these breaches from ever happening.


Cybersecurity best practices

"Today's enterprise must focus on these relationships and ensure that vendors and suppliers are taking security seriously and using the appropriate measures to instill trust in their business relationship."

There are a number of cybersecurity best practices enterprises can follow to reduce their chances of falling victim to supply chain attacks.

One thing supply chain managers must do is ensure that they're using reputable, industry-tested suppliers, said Justin Bateh, supply chain expert and professor of business at Florida State College at Jacksonville.

When using third-party service providers that have virtual access to information systems, supply chain managers and vendors must have a certain level of trust, as well as transparency about what data is available, who has access to the data and how it will be used, he said.

Jason Rhoades, a principal at Schellman & Co. LLC, a provider of attestation and compliance services in Tampa, Fla., agreed.

Today's enterprise must focus on these relationships and ensure that vendors and suppliers are taking security seriously and using the appropriate measures to instill trust in their business relationship, he said. Performing security assessments and validations, such as [Service Organization Control] examinations and ISO/IEC 27001 certifications, is a great way to build trust in the supply chain.

"However, trust isn't enough, and supply chain managers must ensure that there are hierarchical levels of access, compliance training is present, [and] auditing and evaluation mechanisms are utilized," Bateh said.

Supply chain management involves different processes within a business that are managed in different silos, but that are able to communicate with one another, said Alex Hsiung, a manager at Schellman.

"From end to end, when you're creating a new product, you want each piece of the supply chain to ultimately have the same minimum security requirements throughout," Hsiung said. "You have to ensure that there's consistent application of those security controls to mitigate the risks."

Consequently, organizations need some kind of internal cyber-risk management program in place, said Sean Peasley, a partner and leader in cyber-risk services at Deloitte & Touche.

"The program should include the types of risks they're trying to alleviate, [as well as] the various leading practices or standards or regulatory mandates that they're considering to manage those risks," Peasley said.

Read full article at TechTarget >>



headshot-sm-rhoades  Jason Rhoades is a Principal at Schellman & Company.  Jason is a SOC practice leader and assists with methodology and service delivery across all service lines including SOC, PCI-DSS, ISO, FISMA and HIPAA services.  Jason also helps assist large and complex customers who have multiple compliances needs helping them strategically align their efforts to maximize cost and efficiencies.  Prior to joining Schellman, Jason served as a project manager with a Fortune 500 company where he was responsible for design, implementation and security of critical applications supporting various business functions.

headshot-sm-hsiung  Alex Hsiung is a Manager with Schellman & Company, LLC based in Los Angeles, CA. Prior to joining Schellman & Company, LLC in 2015, Alex worked as an Associate at KPMG, specializing in Sarbanes-Oxley compliance audits and IT advisory engagements. Alex also led and supported various other projects, including business process and information technology readiness assessments, internal audit services and regulatory compliance engagements. Over 2 years of experience comprised of serving clients in various industries, including financial services, healthcare and manufacturing. Alex is a dedicated member of the ISO Service Team.


About the Author

Schellman Compliance

Schellman is a leading global provider of attestation, compliance, and certification services. Operating as an alternative practice structure as Schellman & Company, LLC, a top 100 CPA firm, and Schellman Compliance, LLC, a globally accredited compliance assessment firm, we are able to offer clients services as a CPA firm, an ISO Certification Body, a PCI Qualified Security Assessor Company, a HITRUST assessor, a FedRAMP 3PAO, and as one of the first CMMC Authorized C3PAOs. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Schellman's approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives using a single third-party assessor. For more information, please visit

More Content by Schellman Compliance
Previous Article
Supply Chain Software Poses Security Risks
Supply Chain Software Poses Security Risks

Poor internal security procedures and a lack of compliance protocols -- especially for small sup...

Next Flipbook
SOC for Cybersecurity
SOC for Cybersecurity

Now Providing C5 Examinations

Learn about C5