Companies invest extensively in order to protect themselves from cyber-risks and threats; their future survival and reputation depend on it. However, they are only as strong as their weakest link, which, typically, is the supply chain, a fact their adversaries know only too well.
As the UK Government’s Cyber Security Breaches Survey 2021 highlights, “the majority of organizations of all sizes have not formally reviewed the risks posed by their immediate suppliers and wider supply chain.” Reading the survey further, lack of time, information and knowledge are the main reasons for not reviewing supply chain security risks. Common themes when it comes to cybersecurity, in many organizations.
Supply chains allow bad actors to launch widespread attacks from a single point, with the SolarWinds and Kaseya attacks being two well-known recent examples. According to Opinion Matters, an award-winning insight agency based in London, supply chain interconnectedness is so sensitive that 97% of organizations have been negatively affected by a cybersecurity incident occurring in the supply chain.
As a company grows, so does its third-party ecosystem, and it becomes increasingly difficult to manage and mitigate cyber-risk to meet security standards. Onboarding new vendors, assessing current third-party exposure and trying to communicate security performance across the organization clearly are relentless yet necessary tasks.
As a starting point, it is worth considering using a third-party risk management (TPRM) tool, which can perform three key tasks when facing the challenge of supply chain risk.
1) Vendor Validation
Whether assessing a new or existing vendor, having the tools to maintain risk tolerance at scale confidently helps make decision-making quicker and more effective. TPRM tools provide the ability to manage standards for risk better and/or corporate objectives and assess vendors’ security posture by:
- Vendor tiering, based on inherent risk, allowing for better-prioritized remediation decisions
- Objective risk data to supplement or verify vendor questionnaire responses
- Integrations to evaluate and assess vendors at scale through a single point of reference, allowing industry benchmarking to compare a vendor against their competition to assess the security position.
2) Continuous Monitoring
Managing an effective third-party risk program requires ongoing assessments throughout the vendor lifecycle. Risk is constantly evolving; with high costs to execute assessments and difficulty in managing relationships with vendors, it’s challenging to identify every potential exposure.
A TPRM simplifies and gives continuous visibility into third parties, easing the reassessment process and streamlining collaboration with vendors through:
- Real-time analysis to identify and remediate risks as they happen
- Enabling better collaboration with supply chain partners for efficient remediation
- Increased visibility into the fourth party (supplier suppliers) ecosystem for greater protection.
3) Effective Assurance
Measuring the performance of cyber controls across your vendor portfolio can be cumbersome and time-consuming, especially as your program grows. It’s also important to communicate your third-party risk program performance to stakeholders to determine and align on organizational success, competitive positioning and resource allocation. A TPRM eases these burdens through:
- Comprehensive reporting that is easy to communicate and understand
- Meaningful insights into breach and ransomware probability
- Validated metrics that directly correlate to company value and performance.
A large UK-based technology vendor outlined its process and rules for third-party engagement. Their starting point was that partners were expected to hold a minimum set of formal cyber-hygiene credentials, i.e., CyberEssentials/ISO27001 certification, and contracts include the right to audit and test compliance to the terms, which include the cybersecurity posture.
From this, it is evident that organizations are starting to take the threat to the supply chain seriously. This could provide an advantage over the competition when pitching for new business if it can be shown that the security stance and threat of hacks are taken seriously.
To demonstrate this the following should be considered:
- Always be diligent about conducting background checks and detailed screenings as a part of the staff hiring practice. The insider threat is still a number one hacker’s delight.
- Do not think that a security breach could not happen. Be proactive and understand the geopolitical environment. Actors may well be motivated to cause harm or seek access to your resources.
- Vendors, suppliers, and partners should be well known. Take reasonable steps to verify the security practices and procedures of suppliers. Given your business is being scrutinized by your clients, it is only right that you do the same to them; do unto others as they do to you!
- A robust, centralized governance process should be implemented and involve all internal security leads. Being able to evidence internal security posture through continual audits, staff cyber training etc., will help demonstrate a ‘practice what you preach’ dynamic, which can go a long way to securing a contract.
Supply chain security is every company’s responsibility. The supply chain is only truly secure when all entities carry out effective, coordinated security measures, ensuring the integrity of supply chain data, the safety of goods and the global economy’s security.