The Perils of Sneaking up the Supply Chain

The benefits of digital transformation in the corporate world are well documented, boosting customer interactions in tandem with an organization’s bottom line, thanks to faster and more reliable services.

As a result, our supply chains have never been more connected. However, thanks to this newly interconnected nature, cyber-criminals only have to break through one or two facets of one organization to potentially jeopardize multiple businesses. Consequently, businesses that focus only inwards for transformation efforts without examining the power and influence of their supply chain do so at their peril.

Across the supply chain, partner security is a serious threat, given the important roles played by countless public and private sector organizations in the complex supply chains that power our economy and social infrastructure. After all, cyber-criminals target victims not only because of their own corporate identity and data, but also because of the other organizations and notable individuals they have access to.

Recently, it was revealed that around 70% of organizations across the globe are at risk from supply chain attacks, thanks to a lack of visibility into the security status of their partners. Another study found that half of all cyber-attacks involve the supply chain. The lesson? Supply chain vulnerabilities are a cybersecurity nightmare -- and one that looks set only to get worse. 

This is because the risks linked with a supply chain attack have never been higher, thanks to a potent combination of new attack types, increasing public awareness of threats, and -- all too often -- oversight from regulators. At the same time, perpetrators of cybercrime are becoming more emboldened as their armory of tools and resources grows with every passing day.

It only takes one person falling for a phishing scam for a hacker to infiltrate not only the employee’s company systems but then also potentially one of the company’s customers, such as a stationery supplier to a law firm.

As such, it’s no wonder that an organization’s suppliers, partners, and associates are increasingly deemed a soft target by cyber-criminals. To make matters worse, supplier risk management can often be a labor-intensive task.

Solving this requires a multi-pronged approach, the first of which is that, for partners in a supply chain that have been permitted access to a company’s network, appropriate measures must be defined to monitor such access from the start. 

With networks and requirements constantly changing, disparate security systems across the IT environment within a company’s own four walls can be enough to create a compliance headache for businesses, let alone worrying about the compliance of partners in a supply chain. It becomes nearly impossible to accurately assess compliance adherence across a multitude of interfaces, resulting in a fragmented view of compliance that is prone to error.

Through the right partnership, however, cybersecurity gaps in a supply chain can be plugged through a combination of network scanning, vulnerability scanning, and specific pen-testing for industry systems. Certainly technology, for example, can equip companies with a real-time view of their compliance status by embedding compliance standards within pre-set perimeters -- a boon for anyone still worrying about GDPR.

Next, organizations must be able to break free from the slow and difficult data analysis generated by manual input and spreadsheets. Instead, they should be allowed to manage a greater volume of suppliers with an automated system that identifies and actions higher risk issues quickly and easily. Here, again, is where a trusted supplier can help, as they can be tasked with integrating and analyzing data across multiple divisions and providing robust management reporting that identifies risks swiftly.

This is particularly important in the SME market, where firms are evolving fast and often can’t upskill their staff as they evolve; neither, however, can they leave data security to chance. For most SMEs, their brand and future growth depends largely on them being able to prove that they are serious about data governance.

Often, however, it’s this segment of the market where the cybersecurity skills crisis cuts the deepest, so SMEs often need a partner that they can rely on who can provide not only technology but also trusted analysts, plugging the staffing gap.

Nonetheless, this can’t happen without a pragmatic pricing model - one that doesn’t profit from a company being the victim of an attack. To this end, it’s best to avoid suppliers that only offer volatile events-per-second and service-based pricing models, instead opting for a supplier that can provide an asset-based one that will allow companies to align the relevant technology with their cyber strategy.

Ultimately, the economy relies on every company having access to robust security services and technologies, and so it’s paramount that businesses of all sizes can access cost-effective cybersecurity protection that’s as proactive in its approach as time-saving. By doing this, they can save not only themselves from the perils of an attack, but also companies and government organizations further up the chain, protecting countless people in the process.

At the end of the day, everyone should have a right to cybersecurity protection. What this means now is that third-party risk management necessitates a new approach -- one that enables businesses to have a clear picture of where threats lie within their supply chain and adjust controls according to those risks.

Companies shouldn’t need to compromise on their broader digital transformation efforts as long as they work closely with their partners to mitigate and minimize cybersecurity risks. Ultimately, this is what all organizations -- from startups to enterprises and everything in between -- deserve.

What’s Hot on Infosecurity Magazine?