The recent spread of the Coronavirus (COVID-19) has disrupted supply chains everywhere. Missed opportunities in supply and demand and unforeseen costs could lead to billions of dollars in financial losses, with talk of triggering a global recession, but that’s in the physical world. What if a computer virus could bring down global supply networks? The impact could reach far and wide.
Given globalization the role of suppliers, partners, vendors, affiliates and third-parties have increased in scale and interconnectivity. Most businesses today rely on a network of suppliers to deliver a portion of their product or service offering. Based on Gartner estimates, 60% of organizations are now working with more than 1,000 third parties and this number is likely to grow even more over the next three years.
Supply chains are a soft target for attackers
Supply chains hold access to vast amounts of sensitive information about their partners and have become a target for cyber attackers focused on corporate espionage or financial gain. According to reports, supply chain attacks increased by 78% in 2018. It is also estimated that almost half of all cyber-attacks worldwide target supply chains.
High-profile targets, low-profile cyber attacks
Recently Denver-based Visser Precision, a supplier to several major defense companies like Lockheed Martin, Boeing, General Dynamics and Space X, was hit by a major ransomware attack. It is alleged that cyber-criminals also stole sensitive documents from the company.
In February 2020, Total Quality Logistics (TQL), was hit by a cyber attack that potentially exposed its carrier accounts, tax ID numbers and bank account numbers. TQL is ranked as the 25th largest logistics company in the world and second largest freight broker by revenue.
The NotPetya attack, which compromised an update to M.E.Doc accounting software led to ransomware being downloaded in several companies globally. NotPetya has been hailed as one of the most devastating cyber attacks in history and the outbreak affected tens of thousands of systems across 65 countries, costing them millions.
Major organizations such as Rosneft, AP Moller-Maersk, Merck, FedEx, Mondelez International, Nuance Communications, Reckitt Benckiser and Saint-Gobain fell victim to the NotPetya attack that is estimated to cost companies a massive $1.2 billion.
Building a secure foundation to reduce risks in your supply chain
If your business model is to operate on a global supply chain, then it is critical that as a business, you acknowledge that cybersecurity risks are part and parcel of the game. Here is some practical advice that can help you build a secure foundation for your global business.
Identify your critical data
It all starts with identifying your crown jewels. Do these include your intellectual property, financial information or customer lists?
- Identify and protect what data is most important to your organization and prioritize.
- Determine who makes the business decision of what’s important: C-suite, IT, InfoSec teams, business units, etc.
- Determine what makes data important: Assess revenue impact and regulatory concerns.
Determine your exposure to third-party products
Conduct a detailed assessment of your current and potential exposure to third-parties. Would you trust these partners at face value and if you don’t trust them what would you do to ensure that you minimize your risk? Evaluate all possible risks including physical theft or tampering, service interruptions, malware or ransomware attacks, data infiltration or exfiltration, vulnerabilities in third-party software or applications.
Determine supplier security proficiency
When businesses operate independently, they have better control over risks. When you add third-parties to the mix, your risk goes up exponentially. Hence it’s critical for organizations to ensure that their partners and suppliers are meeting security standards and adhering to security policies, regulations and procedures.
Use a vendor risk assessment questionnaire
Companies can choose to undergo a self-assessment or hire an expert to conduct a holistic security assessment of their third-party partners. A vendor/supplier risk assessment questionnaire can also come in handy as such templates can help assimilate responses from partners in a standardized way.
Once you have the data in place, you can assign risk scores to various vendors and also score them on their security proficiency. Some commonly used questionnaires are the FICO CyberRisk Score, Standardized Information Gathering (SIG) questionnaire or CAIQ by Cloud Security Alliance.
Use a GRC platform to support your risk assessment and audits
GRC (Governance, Risk and Compliance) monitors company goals routinely, helps mitigate potential risks and ensures the organization remains compliant with internal policies, laws and regulations. A GRC platform basically pulls all these functions together to house all the documentation (supplier information, risk mitigation processes, audit checks, etc.) in one single place and helps organization track these areas. It can also provide reporting to C-suite executives to help build, monitor and maintain a secure foundation for supply chains.
Traditional GRC offerings can be expensive, fraught with high consulting fees and months spent on implementation. Going to the cloud is a smart approach. SaaS-based GRC platforms are quicker to implement. The KCM GRC platform (developed by my company KnowBe4) affords templates for compliance evaluations and reporting. Centralized policy distribution and tracking helps users remain compliant, as does flagging risky users.
As is typically the case, smaller vendors and suppliers may not have the same level of security resources or investment in place, making them easier targets. Another challenge is that various supply chain partners utilize a multitude of platforms or systems that could create countless entry points for potential hackers.
Hopefully the five best practices outlined here will get you thinking seriously about third-party risk and how you can better manage partners.