Supply chain risk management can be a vital component in the overall security of your business. Find out how.
Supply chain risk management is quite the thankless task, painful to manage, yet crucially important. A single security breach at one of your suppliers in today’s increasingly complex ecosystem of outsourcing and subcontracting is able to reverberate across entire networks of relationships, often leading to hundreds or even thousands of organisations coming to be affected, as was the case with last year’s MOVEit Transfer attack.
As a result, cyber security professionals have been looking at their suppliers as another risk vector and point of exposure. That is why third-party risk management (TPRM) has been mainly focussed on reducing this risk through risk assessments and assurance activities. This approach, however, especially if done through manual, point-in-time spreadsheets, is not only extremely time-consuming and inefficient, it can also create adversarial relationships with key service providers that should really be considered partners.
At each industry conference where third-party risk management is discussed, security leaders acknowledge the grave shortcomings of TPRM, and are in agreement that we need a new approach, but have yet to discover the right answer to this persistent problem. So how can we go beyond TPRM and ensure that our often overlapping supply chains can be turned from one of our greatest security risks to our biggest security enabler?
Here’s how.
Your supply chain resilience not only hinges on the strength of your suppliers’ security postures, however, but also on how integrated they are within your environment, the type of access they have to your sensitive data, and how critical they are to ensuring your business continuity. Moreover, your suppliers relationships with their own third-parties and their relationships with one another could be further risk factors.
So, before you can properly manage supply chain risk, you first need to have visibility and an understanding of your extended supplier ecosystem. This requires you to know which suppliers and third-parties you are working with, avoiding, as much as possible, the existence of shadow suppliers across your organisation. It also requires knowledge about which other organisations your immediate suppliers might be connected to and whether they could potentially pose a concentration risk.
Only if you gain visibility into your extended supply chain, can you really start zooming in on where your greatest risks lie and become more strategic in your approach to reducing them. At the moment, with traditional TPRM approaches, organisations hardly manage to gain a significant degree of visibility into their immediate third-parties, let alone into risks that might be hidden in their 4th, 5th and nth parties further down their supply chains. So gaining greater visibility and centralising supplier due diligence on one platform are the first steps for taking a much more holistic approach to supply chain security.
Beyond greater automation, what else can be done to take TPRM to the next level? First and foremost we need to change our mindset and no longer consider our suppliers as just another risk vector. In fact, with the right strategy, your supplier ecosystem can become an important source of operational threat intelligence.
For example, as you work with your suppliers and assess their potential risk, you should encourage them to share data on any attacks that have occurred either against them or their own suppliers, whether they were successful or not. This is now common practice within some systemically important industries, such as among large financial institutions. Organisations like FS-ISAC are global leaders in facilitating collaboration among its membership, and their collaborative approach to threat intelligence has been exemplary in many ways. Being a trusted partner to the financial community, FS-ISAC has also been given a leadership role in devising the financial sector’s scenario during NATO Cyber Defence Centre of Excellence simulations.
We should learn from this practice and adopt a similar approach with regard to more transparent data sharing between organisations and their suppliers when it comes to supply chain risks, so as to create an ecosystem of organisations and their suppliers all working together to harden their collective security postures. You don’t want to be caught scrambling for information if one of your suppliers gets hit with a data breach that could also come to impact your organisation, so building these relationships and gaining the ability to obtain timely information is key to improving incident response speeds to attacks.
By ensuring data is shared on any successful breach, or attempts at a breach, you would have more information at hand that you can pass on to your other suppliers on the types of attacks they may face and see in the near future. Suppliers will have varying degrees of prevention, detection, and response capabilities in place, and having advanced knowledge of a potential emerging threat can help suppliers with fewer resources inoculate themselves better against incoming threats.
Businesses and supply chains have never been more interconnected. Threat actors and attackers know this, and are taking advantage. But we can do the same and leverage our community of supply chain partners to elevate our cybersecurity and improve our collective security posture.
By keeping in constant communication, we can better prepare and defend against emerging supply chain attacks. Know your suppliers, talk to them, and help them understand that your concern about risk extends to them as well. Don’t rely on audits and point-in-time assessments. Invest in continuous monitoring capabilities, develop a healthy relationship with your suppliers, and Defend-as-One.
But this is just the beginning of the journey to change the culture of third-party risk management and transcend TPRM and approach supply chain security much more holistically. By using a collaborative supply chain risk management tool such as Risk Ledger, where organisations and their suppliers are connected on the same platform, the continuous monitoring of supply chain risks as well as the visualisation of intricate supply chain interdependencies and concentration risks becomes possible. Risk Ledger’s vision for the future of supply chain security is one where we collectively create a Security Operations Centre (SOC) for the supply chain, actively detecting, responding, and preventing attacks across a network of suppliers almost in real-time.
While security risk assessments will remain one element in any successful new approach in our effort to harden our collective supply chain security, these assessments shouldn’t just rely on adversarial audits that look for something that’s wrong or that requires fixing. Instead, you should be approaching your suppliers with a sense of collaboration and support in mind. Suppliers are partners and should be treated as such, and are facing the same cybersecurity challenges as you.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.