Your supply chain may expose your organization to cybersecurity risks. This article looks at the nature of these risks and offers some suggestions to mitigate them. First, to talk about cybersecurity and supply chains, a definition of the supply chain is in order. The concept of the supply chain can mean different things in different industries. A car company’s supply chain not only includes tires and windshields but also IoT. A television network’s supply chain might involve video production facilities as well as content development and delivery vendors. For our purposes, we consider the supply chain to be the intricate, and sometimes fragile, set of connections between suppliers, employees and contractors. Your supply chain is what enables your business to deliver its product or service, achieve corporate objectives and enhance your customers’ experience.
Supply chain discussions typically revolve around logistics and cost, but a more holistic look at the subject reveals that modern supply chains run largely on networks transporting and storing data. The networks encompass a variety of delivery models, including outsourcing and offshoring resources. Purchase orders, invoices, scheduling instructions and more flow between interdependent, interconnected companies and their respective personnel. These networks are vulnerable.
Defining Supply Chain Cybersecurity Risk
A supply chain-borne threat to your organization is more than just another threat to defend against. While most cyber threats come from unknown outsiders, supply chain threats may arrive at your doorstep by way of people you do business with, trust and have authorized access to your network and data. By opening your systems to integration with supply chain partners, you may be increasing your risk exposure.
The Business Impacts of Supply Chain Cybersecurity Risks
Cyber threats coming from the supply chain can have three major impacts on a business. And, it’s not like you get to choose one. If you get hit badly enough, you’ll go through all three of these at the same time:
- Direct impact on your business – If your supply chain goes down due to a cyber attack, you may be unable to deliver your product or service to customers. Or, you might face costly delays or be sent searching for substitute vendors and so forth. You may have legal, regulatory, compliance and customer reporting requirements.
- Indirect impact – A supply chain outage may result in a loss of reputation, loss of customers to competitors and the like.
- IT problems – This is a given, but the interconnected nature of the supply chain can make it harder to sort out how an incident occurred – and what to do about it – than you might see with a standard breach by a malicious actor.
Mitigating Supply Chain Cybersecurity Risk
The essential challenge you face is that your supply chain security relies, to a great extent, on the security of third parties. And, there’s likely to be a huge variation in the kinds of third parties you will be working with on your supply chain. Some might be global giants. Others could be single person operations. Their networks and business processes potentially expose your network, data and customers, so the need for security is intense.
For example, a recent, large-scale data breach of a major retailer occurred because hackers were able to penetrate one of the retailer’s supply chain partners. The hackers were able to impersonate personnel from the supply chain partner to gain access to the retailer’s network.
The best practices to follow requires establishing a clear and consistent Third Party Risk Assessment and Management Program. Such a program is part policy definition and part policy enforcement. You need to be clear with suppliers about what you expect of them, in security terms. And then, you need to check. This is where things can be challenging, however.
You have to be diligent in how you approach managing security policy with supply chain vendors. There are two reasons for this. For one thing, there are probably too many suppliers to oversee with the same high degree of thoroughness. And, you may not ask the same things from each supplier. While many larger suppliers will have mature information security programs, some will not. Smaller suppliers will be hard pressed to have mature programs given the lack of competent cybersecurity staff in the market today and the expenses associated with an effective program.
When you deal with small suppliers, you may ask them to agree to adhere to security policies in a contract. You can ask them to document how they secure their systems and networks. But, as you know, they may not be completely honest or tell the full story. Or, they do provide detailed information but then things change. Someone quits and a few months go by. Suddenly, there’s a huge hidden vulnerability affecting your organization.
My approach is to take a “trust but verify” approach. I selectively audit suppliers for cybersecurity policy and their capabilities. It’s a dynamic process. Suppliers come and go. Threats evolve. People come and go in your organization and at suppliers. The Third Party Risk Assessment Program should feature recurring reviews of suppliers to ensure that any potential exposure is remediated as quickly as possible.
Finally, supply chain cybersecurity risk management is an area where you truly have to partner with your business stakeholders. This is not about IT. It’s about running the business. Business managers want to know what you’re doing and why. They need to understand the potential risks and impacts if there is an incident. If you approach supply chain cybersecurity with a genuine partnership attitude, you’ll do well.
To learn more about how to protect your business from cybersecurity risks, talk to one of our security experts today.