Skip to main content

Article

Assessing supply chain risk

Supply chains today are increasingly digital; every new connection makes an organization more vulnerable to cyberattacks.

A robust and effective cyber resilience program depends not only on an organization’s internal cybersecurity controls, but also on those that a company places on its third-party suppliers and vendors. Supply chains today are increasingly digital; every new connection makes an organization more vulnerable to cyberattacks.

When building their cyber resilience programs, organizations commonly do not consider how a cyberattack on one of their third-party suppliers or vendors could impact them. Although 89% of organizations in MEA have taken action to improve the security of their computers, devices, and systems in the last year, only about 40% have conducted a risk assessment of their vendors and supply chain, according to a recent survey by Marsh and Microsoft.

Further, only 41% have audited and verified the technical and operational cybersecurity measures of their vendors and supply chain. Smaller organizations are even less likely to have taken actions around supply chains. Unfortunately, this oversight can prove catastrophic.

Third-party tools and services provide cybercriminals with an opportunity to infiltrate a company’s systems by targeting its less secure vendors and suppliers. Once a supplier or vendor is compromised, cyber actors will often take advantage of trusted relationships to steal data or finances and/or install malware.

Breaching a vendor or supplier may allow an attacker to gain access to the networks and devices of many organizations’ clients. Commonly used third-party software supply chain components, such as email marketing services, are highly prized targets for cybercriminals.

An organization can be indirectly effected by a cyberattack on a supplier or vendor, even without its own systems and data being accessed. A supplier or vendor cyber disruption can be costly. While the vendor or supplier performs damage control, its clients could experience business interruption and loss of profit.

How companies can better prepare

For companies to better protect themselves against cyber risks in their supply chain, it is important they understand the full scope of their digital relationships. For example, they must consider not only the technologies involved in delivering digital services, such as software-as-a-service products, but also the digital aspects of their physical supply chain, such as manufacturers using Internet of Things technologies.

Further, vendors and suppliers may have access to the corporate network, which can increase risk. Executives should take steps to thoroughly vet third-party suppliers and vendors from a cyber risk perspective.

Only 44% of MEA survey respondents have a vendor/digital supply chain risk management plan in place. Adopting a digital supply chain risk management framework can help executives make strategic decisions on risk management and capital allocation.

Additionally, many cyber insurance underwriters may require information regarding a company’s vendor ecosystem and risk management plan. This framework should include the following actions:

  • Identifying and documenting types of suppliers, vendors, and service providers.
  • Defining risk criteria for different types of vendors, suppliers, and services.
  • Assessing supply chain risks according to business continuity impact assessments.
  • Defining measures for risk treatment based on good practices.
  • Monitoring supply chain risks and threats, based on internal and external information.
  • Developing and testing an incident response playbook for vendor/digital supply chain scenarios, and including third parties in this playbook.

Risk and insurance, finance, and IT and cybersecurity department leaders should work with legal, operations, and procurement to classify assets and information that are shared with or accessible to suppliers or vendors, and define procedures for their access and handling.

This process should involve:

  • Defining obligations of suppliers and vendors regarding asset protection, sharing information, audit rights, business continuity, personnel screening, and incident handling.
  • Including these obligations in new contracts and renewals, along with appropriate cybersecurity hygiene controls and responsibilities.
  • Evaluating any existing contracts, service agreements, and escalation protocols the company has for each vendor or digital supplier.
  • Monitoring service performance and performing routine security audits to verify adherence to cybersecurity requirements in agreements.

Organizations should also account for supply chain risk in their cybersecurity framework.

Department leaders should consider implementing the following tactics:

  • Account management based on zero trust architecture and the need-to-know principle.
  • Strict limitations of privileged and generic accounts.
  • Enforced appropriate risk-based multifactor authentication (MFA).
  • Engagement with internal security operations center to develop specific use cases for monitoring third party accesses.
  • Mandatory cybersecurity training and awareness programs for vendors and suppliers with access to the corporate network.

Companies may be vulnerable to supply chain cyber risk even when their own defenses appear effective. By evaluating the cybersecurity controls in place at suppliers and vendors — and addressing discovered risks — organizations will improve their cyber resilience.

Related insights