Cyber attacks affect businesses of all sizes. Supply chains are especially vulnerable because these networks are inherently collaborative. Rapidly expanding supply chain networks bind us to our partners, and as the industry becomes more connected, the risk of cyber attacks skyrockets. Diligent though we may be, our security is only as good as that of our partners.
We all know that the exchange of digital information between manufacturers and suppliers is necessary to smooth operations and logistics. However, it’s this very interconnectedness that complicates security. Companies are often attacked through their wider digital networks. After all, more suppliers, service providers, and partners are touching our sensitive data than ever before.
Several high-profile incidents have exposed the risks. The Target breach, for example, was due to an HVAC vendor’s security problems. Similarly, the Home Depot breach was attributed to credentials stolen from a vendor. Equifax’s breach this year stemmed from a flaw in outside software. Wipro, one of the world’s largest IT outsourcing companies that boasts a who’s who list of Fortune 500 clients, was also recently hacked, causing major breaches at about a dozen of their customers. The problem is becoming commonplace.
These types of attacks, where hackers exploit the loopholes in third-party services to strike their targets, spiked 78 percent between 2017 and 2018. In fact, according to a 2018 study, 56 percent of organizations have experienced a vendor-caused breach, and yet only 16 percent believe they effectively manage these risks. The same study found that the average organization shares sensitive information with 583 third parties, and those third parties might be sharing our data with their own partners. This equates to hundreds, if not thousands, of vulnerabilities to manage. Additionally, if our contracts don’t instruct former partners to destroy our data upon termination, the risks persist even after a relationship ends. The average cost of a data breach is now $3.86 million, meaning there’s no time like the present to shore up your network.
The most common risk areas include:
Hardware and Software Supply Chain Risks
We all use outside hardware and software, but few of us vet every device and downloaded application, or even ensure that patches and upgrades are up-to-date. This puts data at risk and, if these flawed hardware and software components are embedded into our products, that exacerbates the problem.
Cloud Provider Security Risks
Individual applications, as well as entire data centers, have moved to cloud providers. Even some hardware is cloud-enabled. IoT initiatives can streamline processes, perform diagnostics, and enable predictive maintenance, but those benefits are laced with risks.
Professional Services Firm Risks
Devastating hacks have originated from professional services organizations, including marketing firms, analytics firms, accounting firms, law firms, consulting companies, and others. The solution? It all comes down to proper oversight of third-party cyber security risks. If we thoroughly evaluate the security and privacy policies of all suppliers (not just the big relationships—everyone), the likelihood of a breach decreases from 66 percent to 46 percent, a 20 percent difference.
Once we understand which vendors we’re working with and what data we’re sharing with whom, we can identify vulnerabilities, determine the probability and impact of a compromise, and proactively mitigate risks.
The ideal outcome is a scalable and repeatable process that embeds supply chain information risk management into existing procurement and vendor management processes. This entails building security requirements into service level agreements with suppliers. Our most valuable and sensitive data should be safeguarded by suppliers as we would protect it ourselves. Establishing and communicating these standards sets the foundation for measuring compliance in the future and, ultimately, addressing risks more quickly.
When we establish our commitment to security, it prompts our partners to do the same, nudging them to shore up their vulnerabilities and require compliance from their partners. It’s perfectly reasonable, for example, to ask vendors to allow audits, customer visits, or to purchase cyber insurance. Newly agreed-upon standards should be clearly outlined and updated within legal contracts.
Align your organization with vendors that are taking security measures seriously. Companies like BitSight Technologies and SecurityScorecard assess vendors and rate them on the security of their networks. Deloitte and CyberGRX have also partnered up to do deeper dives and ongoing assessments into vendor security. In the future, expect to see the emergence of industry-specific models. Several financial institutions have already collaborated on similar vendor security assessment services. The Information Security Forum has also created a Supply Chain Information Risk Assurance Process (SCIRAP), which is a recommended approach for businesses to manage risk across their supplier base.
With proper oversight, you can tighten the links in your supply chain, giving hackers fewer inroads to your data.