When it comes to vendors, many organizations have a false sense of security and operate under the following assumptions:
- Third-party vendors have taken the necessary steps to stay secure
- Recognizable “brand name” vendors are both diligent and proactive about cybersecurity
Couple that with a lack of robust monitoring and reporting – particularly with third-party software interactions within company environments – and organizations have a ticking security time bomb on their hands.
Your cybersecurity posture must incorporate proactive third-party risk management, or all other efforts (e.g. traditional perimeter defenses) will be useless.
Examples of Supply Chain Cyber Vulnerabilities & Counters:
1. Inadequate vendor assessment before signing contracts
Before settling on a vendor, conduct a thorough initial review of their security posture and security/incident management processes.
You’ve done the hard work of making your enterprise secure, so be vigilant about any software, tools, or equipment that you allow on board. Once you’re in a contracted relationship with the vendor, the second issue below comes into play.
2. Lack of active monitoring allows bad players prolonged access to an organization’s environment
After a product has been deemed “safe,” companies still need to be on high alert! Compromised software products can remain unflagged for long periods and become a gateway for bad actors to move undetected through an organization’s network.
Malware can also be embedded into third-vendor products through patch releases. Any release or patch (no matter how small or minimal) needs the same level of security diligence in development and delivery.
Technology such as AI also allows earlier detection and response to “unusual” behaviors in a network that indicate an attack is happening.
3. No clear risk management roles and responsibilities assigned within organizations
Most organizations have not made it clear who (whether an individual or a team) owns the responsibility for cyber supply chain risk management (C-SCRM). Often, it is delegated to IT. But risks can come from many sources, from sabotage to human error. C-SCRM programs should not be limited to one department.
Prioritize creating or assigning new organizational roles and responsibilities to enable greater focus and proactivity in assessing and managing supply chain and other third-party risks, with an organization-wide view, not a narrow focus.
4. Limited data availability, accuracy, and quality for potential risks and detected issues
This is a complex problem, partly because of the sheer amount of vendors companies deal with in their ecosystems. When you have hundreds of vendors, there’s often a lack of readily accessible data on risks, whether it’s timeliness, accuracy, or actionability for each vendor.
Organizations often resort to developing their own solutions for data analysis and decision-making, but this is time-consuming and resource heavy. However, this data is essential to identify as early as possible any potential risk exposure with a vendor’s product.
Stay Ahead of Rising Risks and Costs
Due to previous successes in supply chain attacks, we predict that this year will see growth in both the number and scale of attacks. By 2023, global C-SCRM and resilience will be the top business priority for 50% of organizations.
With large companies facing an average yearly cost of $184 million from supply chain disruptions (and the number is predicted to increase), organizations must embrace operational resilience like never before.
Read our strategy brief “C-SCRM: Best Practices to Mitigate Risk in Your Cyber Supply Chain” for insights on identifying, assessing, and reducing risks across your cyber supply chain lifecycle.GET THE BRIEF
Have a Question? Just Ask
Whether you're looking for practical advice or just plain curious, our experienced principals are here to help. Check back weekly as we publish the most interesting questions and answers right here.