Our world continues to become more interconnected. Global enterprises and organizations rely on trusted relationships, with their third-party suppliers providing services from payroll and maintenance to marketing and software development. It is common for third parties to extend to fourth and fifth parties, making supply chains more complicated with many suppliers doing many different things. It is very likely your business has a plethora of third-party suppliers and vendors.
This is simply how businesses operate today.
Your business has no doubt been through countless security audits and reviews, but how do you really know your suppliers have been through the same rigorous testing when it comes to cybersecurity? How do you know third-party cyber security risk is not being introduced into your supply chain?
We know there are an increasing number of malicious actors and supply chain risks and more generally cyber threats are increasing at a rapid rate.
What is a supply chain attack?
Cyber attackers are no longer just 'breaking the lock at the front door' – they are now using ways to access your systems through an external partner or third party who has access to your systems and data.
These sorts of attacks are gathering momentum and sophistication, causing large-scale operational disruption, loss of revenue and significant damage to brand, reputation and customer trust.
If you are a small organization, you could be one part of a large supply chain. You could, in fact, be the first target of a supply chain attack. Smaller enterprises provide the hacker with a foothold into the supply chain network, since they have weaker cyber controls. Following a period of reconnaissance and exploitation, cyber criminals will then gain access to entry points belonging to larger companies, which is usually the end goal.
What Are the Types of Cyber Risks in Supply Chain Management?
Cyber risks in supply chain management pose significant challenges for organizations in today's digital business environment. As companies rely more on the Internet of Things (IoT), Industrial Internet of Things (IIoT), and other digital technologies to optimize their supply chains, they become exposed to various cybersecurity threats, including malware, ransomware, phishing, and hacking. Let's explore the types of cyber risks that can adversely affect businesses along the supply chain:
Data breaches are one of the most serious cybersecurity threats faced by organizations. These incidents involve unauthorized access to sensitive information, leading to financial losses, reputational damage, and legal consequences. The frequency and severity of data breaches have been increasing, with an average cost of $4.2 million per breach in 2021. Detecting data breaches can be challenging, taking up to 197 days for organizations to identify the breach, and even longer in cases where third-party vendors are involved.
The widespread use of IoT and IIoT devices has expanded the attack surface for cybercriminals. Any device connected to the internet within the supply chain can be vulnerable to cyberattacks. While these technologies offer numerous benefits, including improved efficiency and asset tracking, they also expose organizations to new cybersecurity risks. Attacks on IoT devices have been swift, with an average IoT device getting attacked within five minutes of going live. In the case of IIoT devices running industrial systems, the consequences of a cybersecurity breach can be even more devastating, leading to production losses, data theft, equipment damage, and more.
Malware and ransomware attacks
Malware and ransomware attacks have become increasingly common and disruptive. Malware infiltrates computer systems to steal or destroy data, while ransomware encrypts files and demands payment for a decryption key. Notorious cases, such as the SolarWinds attack in 2020 and the Colonial Pipeline ransomware attack in 2021, demonstrate the damaging impact these attacks can have on businesses. Ransom payments can lead to financial losses, and the recovery process may not always be straightforward or successful.
It is crucial for organizations to implement robust supply chain risk management strategies to mitigate these cyber risks effectively. This involves securing sensitive data shared with third parties, fortifying IoT and IIoT devices against cyber threats, and implementing strong cybersecurity measures to prevent and respond to malware and ransomware attacks. Proactive measures and continuous monitoring can help organizations maintain a resilient and secure supply chain in the face of evolving cyber threats.
Do I really need to worry about supply chain cyber security?
2020 was an unprecedented year for supply chain cyber security with a huge increase in the number of data breaches as a result of third parties.
In a recent survey conducted by 6clicks, only 27% of senior-level executives understood the nature of supply chain security against their companies. Only 24% reviewed immediate supplier risks. And a little over one in ten (14%) have reviewed risks for the wider supply chain.
The need to act now is clear.
Some of the world's biggest cyber attacks are initiated as a result of weak supply chain cyber security. The December 2020 SolarWinds supply chain attack sent shockwaves around the world when hackers injected malicious code into the company's Orion software system. The malicious code was pushed out (as updates) to thousands of high-profile customers including the US Treasury, Government Departments and, Fortune 500 companies.
The incident has been a wake-up call for global businesses and also highlighted the devastating impact of supply chain attacks and the need to validate software suppliers, particularly those with software that has privileged access to information assets.
How do I ensure supply chain cyber security?
Not only do you need to know how to secure your supply chain, but also what questions need to be asked as a leader to ensure the appropriate security measures are in place.
This is a hugely complex task that starts with raising awareness, building trusted relationships with your suppliers and having viability in your supply chain.Here are 6 key points to start thinking about:
1. Put supply chain cyber security on the board agenda before it becomes the agenda
Not having the awareness of supply chain attacks in 2021 (and beyond) is no longer acceptable. Board members, executive leadership teams and senior staff must have a basic awareness of cyber security risks. So include supply chain cyber security as an item on the boardroom agenda.
2. Use a tiered approach to answer the vital question 'Who has our Data'?
Map out your supply chain (including your software supply chain) to identify which suppliers have your most critical data and pose the greatest risk.
One company I consulted with did this by creating a supply chain scoring system where highly critical and sensitive data exchanged with a supplier would be scored as a ‘tier 1' supplier. The next category of data sensitivity would be a ‘tier 2' supplier and so on. Each tiered supplier would then be subject to a security audit. Suppliers in lower tiers had different levels of reviews compared with those in higher-tiered suppliers.
3. How secure are our suppliers?
Conduct rigorous third-party assessments, particularly with your high-risk/tier suppliers. This will enable you to gain the necessary security assurance while also providing an important opportunity to evaluate your suppliers' security and privacy policies.
There is no shortage of supplier third-party security questionnaires. Some example questions to ask your suppliers include:
- How do our suppliers train their staff on cyber security?
- What are their security policies in relation to joiners, movers and leavers?
- Does the supplier have a robust cyber incident response process and when was it last tested?
- How are we vetting our software vendors to ensure they are producing secure code aligned with a recognised methodology?
- What processes do our suppliers use for data backup? How often is the process tested?
- Are our suppliers maintaining security software and patches to their latest releases?
4. Review access control mechanisms.
Nearly all third-party relationships involve some form of data access and exchange but this must be done with the right controls in place so that risks can be mitigated. The more people who have access to data, the harder it becomes to control and mitigate threats. For each critical supplier, you need to take the time to understand who has access to your data and what they are doing with that data.
So ask yourself, why do they need access to this data? How do access controls get reviewed and how are you limiting third-party access to your sensitive data environments? Where possible, segment your networks and consider zero-trust architectures to verify users.
Security clauses and conditions should be clearly stipulated within supplier contracts. Examples include:
- the right to be notified of a breach within a certain amount of time
- identifying who maintains ownership of the shared data
- how data will be handled throughout the lifecycle of the contract
- actions to take in the event of a data breach.
Identifying risks is just one part of securing your supply chain. There needs to be an established and coordinated approach to managing your supply chain environment, particularly in the event of a major security incident.
There should be a tested disaster recovery and risk communications plan so that if an incident does occur, your organisation has well-rehearsed protocols to manage your supply chain environment, reacting swiftly and effectively.