Navigating Supplier Risk Challenges to Shore Up Cyber Defences
Organisations are paying too little attention to the risk of their supply chain information being compromised through cyber attack.
Solarwinds,?Log4J,?Kaseya, and just recently?3CX, are just a few examples of instances where companies failed to fully assess the risk profile of their supplier relationships. Following are some key challenges that need to be addressed.
Pressure to cut external costs
Hampered by budget constraints, organisations are under pressure to seek services from suppliers that can offer 'more for less'. Even the most well-established suppliers tend to move toward cost-cutting measures, potentially at the expense of information security.
Infrastructure stretched by remote work
Remote working is nothing new, and the associated risks are fairly well known. Still, a majority of businesses are relying on it at an unprecedented scale. Meanwhile, the business infrastructure, and the suppliers that enable it, are being stretched to near breaking point. At a time where cyber risk is at an all-time high, and attack vectors are growing exponentially, organisations are in need of more agile approaches to infrastructure integrity, with the ability to promptly diagnose and address risk in the supply chain.
Supply chain risk management lacking structure?
A recent ransomware attack on a major supply chain partners caused semiconductor giant?Applied Materials?to lose $250 million. Such incidents remind us that while companies may have become better versed at managing operational risk, their ability to manage information risk from a supply-chain perspective is often poor or questionable. Supplier relationships usually represent a soft underbelly that can cause considerable damage to any business in the event of unexpected disruptions.
Traditional approaches to supply chain security failing
Many suppliers feel the frustration of filling out lengthy security questionnaires from prospective or existing partners, when information interchange or shared system access is only likely to be minor. This results in inefficiencies in both the supplier and partner organisations. A 'one-size-fits-all' approach exposes organisations to greater security risks because it lacks the ability to prioritise the most sensitive and critical suppliers.
Suppliers struggling to keep up with innovative organisations
Business strategies and operating models were upended by the COVID-19 pandemic. Many organisations responded by accelerating their innovation and marketing capabilities. While they may be able to flex their own culture and in-house security measures to cope with increased web-enablement and remote working, their suppliers may struggle to keep pace without dropping a cyber security ball or two.
The following best practices can help organisations manage risk in their supply chains more effectively.
领英推荐
Make information security business as usual, not an afterthought
The key to overcoming supplier risk is embedding information security across the entire supplier management lifecycle — from the time when supplier requirements are defined to when contracts are renewed, renegotiated or terminated. Collaborate with legal and procurement teams so that risk‐based requirements are reflected in supplier contracts. Consult information security teams at every step in the process.
Categorise and prioritise suppliers based on risk
Triage vendors based on what level of information and systems the supplier has access to. Next, try to understand the level of exposure the organisation has with this particular supplier. In the case of software suppliers, identify individual components and software dependencies by creating a?software bill of materials (SBOM). If suppliers are deemed to be critical, perform thorough due diligence: Where do they operate from? What are their capabilities? What security processes do they have in place? Do they have a history of security incidents? Are they compliant with security and privacy standards?
Build a process for ongoing assurance
A one-off, point-in-time assessment is no longer sufficient when it comes to effective supplier risk management. Ideally, organisations should have a monitoring and reporting process in place to identify whether the risk profile in an individual supplier relationship is changing. For example, any changes in legal, financial, partnership or ownership status, or security incident, should trigger a reassessment of supply chain exposure and subsequent risks.
Continue to monitor and fine-tune
Review the entire supply chain lifecycle from a security standpoint annually at least. Identify priority actions, determine issues and implement any controls, systems, process or automation that are necessary to reduce supply chain risks ahead of time.
The writing’s on the wall. Supply chain attacks have grown by more than?700%?over the past three years, and are likely to further increase. To build resilience against supply chain risks, organisations must build smarter supplier risk-management profiles and follow guidelines that serve as an enabler to ongoing business success, rather than a barrier.
How do you analyse the security status of your suppliers?
Discover how the ISF can equip you to respond to the critical supplier risk challenges concerning security leaders today: