Organizations often struggle with the pernicious threat of insider incidents.  Whether those incidents are borne of malicious intent or ignorance, the problem grows geometrically as organizations gain more reliance on third party providers.  As the supply chain for an organization grows, the risk exposure and attack surface grow along with it.  

This presentation is a partnership of expertise between the CERT Division of the Software Engineering Institute’s Insider Threat Center and the CERT’s Risk Management team, describing the intersection insider threats and supply chain risk.  Multiple, real world, insider incidents will be discussed to highlight the challenges related to insider threats within a supply chain, presenting a strategy to protect critical assess from threats inside and outside the enterprise, including from Trusted External Entities (TEEs).  It is essential that organizations consider insider threats when building, implementing, and managing an enterprise-wide risk management program and we will discuss how to ensure your insider threat program can reduce the risk of an insider incident, including those that might impact your supply chain.

Organizations must strive to build a portfolio of trusted providers.  The resulting ecosystem must then be groomed, assessed, and maintained.  The burdens may be alleviated with some novel tools and measurements to be covered in this discussion.