Organizations are paying too little attention to the risk of their supply chain information being compromised through cyberattack.
Solarwinds, Log4J, Kaseya, and just recently 3CX, are just a few examples of instances where companies failed to fully assess the risk profile of their supplier relationships. Following are some key challenges that need to be addressed.
Pressure to cut external costs. Hampered by budget constraints, organizations are under pressure to seek services from suppliers that can offer “more for less.” Even the most well-established suppliers tend to move toward cost-cutting measures, potentially at the expense of information security.
Infrastructure stretched by remote work. Remote working is nothing new, and the associated risks are fairly well known. Still, a majority of businesses are relying on it at an unprecedented scale. Meanwhile, the business infrastructure, and the suppliers that enable it, are being stretched to near breaking point. At a time where cyber risk is at an all-time high, and attack vectors are growing exponentially, organizations are in need of more agile approaches to infrastructure integrity, with the ability to promptly diagnose and address risk in the supply chain.
Supply chain risk management lacking structure. A recent ransomware attack on a major supply chain partners caused semiconductor giant Applied Materials to lose $250 million. Such incidents remind us that while companies may have become better versed at managing operational risk, their ability to manage information risk from a supply-chain perspective is often poor or questionable. Supplier relationships usually represent a soft underbelly that can cause considerable damage to any business in the event of unexpected disruptions.
Traditional approaches to supply chain security failing. Many suppliers feel the frustration of filling out lengthy security questionnaires from prospective or existing partners, when information interchange or shared system access is only likely to be minor. This results in inefficiencies in both the supplier and partner organizations. A “one-size-fits-all” approach exposes organizations to greater security risks because it lacks the ability to prioritize the most sensitive and critical suppliers.
Suppliers struggling to keep up with innovative organizations. Business strategies and operating models were upended by the COVID-19 pandemic. Many organizations responded by accelerating their innovation and marketing capabilities. While they may be able to flex their own culture and in-house security measures to cope with increased web-enablement and remote working, their suppliers may struggle to keep pace without dropping a cybersecurity ball or two.
The following best practices can help organizations manage risk in their supply chains more effectively.
Make information security business as usual, not an afterthought. The key to overcoming supplier risk is embedding information security across the entire supplier management lifecycle — from the time when supplier requirements are defined to when contracts are renewed, renegotiated or terminated. Collaborate with legal and procurement teams so that risk‐based requirements are reflected in supplier contracts. Consult information security teams at every step in the process.
Categorize and prioritize suppliers based on risk. Triage vendors based on what level of information and systems the supplier has access to. Next, try to understand the level of exposure the organization has with this particular supplier. In the case of software suppliers, identify individual components and software dependencies by creating a software bill of materials (SBOM). If suppliers are deemed to be critical, perform thorough due diligence: Where do they operate from? What are their capabilities? What security processes do they have in place? Do they have a history of security incidents? Are they compliant with security and privacy standards?
Build a process for ongoing assurance. A one-off, point-in-time assessment is no longer sufficient when it comes to effective supplier risk management. Ideally, organizations should have a monitoring and reporting process in place to identify whether the risk profile in an individual supplier relationship is changing. For example, any changes in legal, financial, partnership or ownership status, or security incident, should trigger a reassessment of supply chain exposure and subsequent risks.
Continue to monitor and fine-tune. Review the entire supply chain lifecycle from a security standpoint annually at least. Identify priority actions, determine issues and implement any controls, systems, process or automation that are necessary to reduce supply chain risks ahead of time.
The writing’s on the wall. Supply chain attacks have grown by more than 700% over the past three years, and are likely to further increase. To build resilience against supply chain risks, organizations must build smarter supplier risk-management profiles and follow guidelines that serve as an enabler to ongoing business success, rather than a barrier.
Steve Durbin is chief executive of the Information Security Forum.