Risk Evaluation and Management in the Age of the Connected Supply Chain

Studies have shown that digital supply chains improve a company’s ability to manage risks. However, while that is true, it seems the digital factor in supply chains introduces a newer dimension of risks that the management needs to be alert to.

Cybersecurity attacks on supply chains have been on the rise and the spate does not seem to be reversing any time soon. Particularly, a study on the impacts of COVID-19 reveals a new dimension of challenges introduced to the supply chain, including cybersecurity risks.

The critical question remains: how does an organization identify, evaluate and manage risks that its supply chain is exposed to due to digitization?

Adopt the Zero-Trust Philosophy

Many organizations require a change of mindset in their approach towards cybersecurity. Believing that your defenses are guarded enough leads you to overlook small but critical loopholes that could be easily exploited by attackers. That is a reactionary mindset that will always put the organization one step behind the attackers. Instead, companies need to be proactive in approach by adopting the zero-trust philosophy.

The zero-trust idea in cybersecurity is assuming nothing but the inevitability of being breached. This changes the approach to risk management. As supply chains get increasingly connected, so do blind spots emerge that were previously non-existent.

One of the foundations of the zero-trust framework is the implementation of least privilege access. According to Microsoft’s Edna Conway, organizations should clarify the bases for trust and access to critical systems on the supply chain. This is much more important now that third-party vendors are playing more roles in supply chain operations.

Third Party Cybersecurity Risks

There is a growing risk, even attested by the FBI, of supply chain attacks by vendors and suppliers. Key findings of BlueVoyant’s report on Supply Chain Cyber-Risk include that 77% of organizations have limited visibility around their third-party vendors and 80% have suffered a third-party related breach in the previous 12 months.

All these point to one thing: companies require more due diligence in their partnerships with third-party vendors and suppliers. It is not enough for your company to have strong cybersecurity protocols. Partnering with vendors and suppliers requires sharing of company information and data with the third-party. A cybersecurity risk assessment should be part of the process when your company vets third parties before signing partnership contracts.

However, since cybersecurity is a continuous process, it cannot be enough to limit risk assessments to the beginning of projects. The organization has to sustain comprehensive visibility over its cybersecurity protocols and those of its vendors.

Comprehensive Visibility

The first step to achieving full visibility is making an inventory of the company’s hardware and software assets. Collecting an inventory of the assets involved in supply chain operations makes planning and management of risks more efficient.

Cyber-attackers are often opportunistic and exploitative. Therefore, as mentioned in the first section, you can’t leave anything to chance; doing otherwise is how blind spots emerge.

However, visibility is not just counting numbers; it is, more importantly, about understanding the potential impacts of the failure of devices and equipment, as well as the corresponding risks to supply chain operations. It is also about gaining a clear intuitive understanding of the activities, processes, interactions and decisions involved in the functioning of the supply chain. This will help improve coordination between teams, particularly when it comes to incident response.

Incident Response

No cybersecurity strategy is complete without an active framework for remediation on suspicion of compromise or actual compromise. The zero-trust principle rests on the assumption that compromise is inevitable. Therefore, there must be an action plan for reporting and managing breaches and threats as they are noticed.

Cyber-attacks can be so disruptive that they break the entire functioning of the supply chain. To avoid any escalation to that devastating point, there must appropriate preparation. No network is 100% secure since cyber-attackers never rest in their efforts at finding vulnerabilities, and many times, they have been successful. Hence, the rise in zero-day vulnerabilities.

Risk management involves responding to certain critical questions regarding the company’s response to attacks.

Cybersecurity is going to be an issue for a very long time, perhaps for eternity, or until a different model replaces the internet as we know it. Therefore, organizations should be on their toes, always. The nature of risks changes every time and new risks emerge too. It’s worth the effort if overhauling your supply chain’s risk management approach will deliver adequate security.

What’s Hot on Infosecurity Magazine?