We've previously mentioned the “bad actor” countries on the global stage that are constantly hacking our supply chain and trying to steal our intellectual property from the cloud. That includes Russia, who’s been linked to relentless targeting of cloud service companies and attacking the global technology supply chain. This article from CBSNews.com explains how a Russian-backed group called Nobelium has been targeting more than 140 companies since last summer, with some believed to have been compromised. This is the same group that was responsible for the 2020 SolarWinds breach, which left 18,000 of their customers vulnerable to cyberattack including Microsoft and top government agencies.
The article explains how Microsoft is keeping tabs on the group and says that Russia in general, “accounted for the majority of state-sponsored hacking it detected during the past year. Most of the attacks targeted government agencies and think tanks in the United States, followed by Ukraine, Britain and European NATO members.” It’s clear that hackers are only growing more ambitious every year and putting companies in our supply chain at risk.
Protect the Supply Chain With ISO
What can organizations within the supply chain do to protect themselves from cyberattack? There are multiple approaches to take to protect data and one of the primary ones should be implementing ISO within your company. In fact, many companies are required to conform to certain ISO standards due to industry regulations, government mandates and/or contractual obligations. Below are the ISO standards that can help protect your supply chain.
ISO 20000-1. This is a primary solution that companies who are in the cloud can use to put protect their data. This standard provides additional security controls and processes specifically for companies using the cloud.
ISO 27001. This is one of the most utilized (and required) frameworks for information security. The standard can be enhanced further for cloud with ISO 27017 which has controls split by provider and user.
Note: The latest 2022 version is out for ISO 27001. Click here to learn more about it and important dates related to updating from the 2013 version.
Other ISO 27XXX standards. There are a ton of different ISO 27XXX standards that cater to a multitude of business functions and many people don’t know about them. Click here to see a full list of standards with detailed descriptions.
NIST 800-161. This is a free document that is specifically for supply chain risk management practices for federal information systems and organizations. If every company in our supply chain followed this publication, we’d have to worry about security a lot less.
Given that the Defense Industrial Base contractors in our supply chain have their own supply chain under them comprised of subcontractors (who also have subcontractors under them), ISO needs to be adopted at all levels because the well is deep. About 5.7 million companies deep.
If you’re looking to add or continue with ISO as part of your operations, get in touch with us so we can learn more about your needs and how can help simplify the process.