The digital supply chain has brought new efficiencies and strengthened connectivity among partners. For companies to remain competitive today, engaging in the digital supply chain simply cannot be avoided.
However, the digital supply chain also has brought an array of fresh challenges, including a heightened risk for cyberattacks. A major part of the problem is an expanded “attack surface” that includes a company’s partners in the supply chain, said Michelle Drolet, CEO of Towerwall, “exposing the organization to a multitude of cyber risks such as attacks and breaches, wide-scale disruption, stolen credential, loss of reputation and other legal, financial and compliance risks.”
“As cybersecurity defenses of enterprises mature, attackers are shifting their attacks to third-parties as they may not have the same level of cybersecurity maturity as that of the parent organization,” Drolet said.
Doreen Gonzalez-Gaboyan, president and founder of Industry Workforce Solutions, said the supply chain is the No. 1 source of cyber risk for most corporations, citing data that as many as 70% of cyberattacks come through a third party. Sachin Khalap, head of the Governance, Risk, Compliance and Data Privacy Centre of Excellence, TCS Cybersecurity, said that cyber risks rise exponentially as more companies participate in the digital supply chain.
“The companies are geographically spread, and have their own disparate systems, vendors and policies,” Khalap said. “Connecting them together makes a compounding effect to the risk.”
As Tom Martucci, chief technology officer, Consolidated Intermodal Technologies, pointed out, “We are all only as secure as the weakest link in the supply chain.”
Make it a priority
Martucci said it is imperative for companies to place security in vendor management among their highest priorities.
“Your vendor relationships should not compromise any security best practice,” Martucci said. “Instead, it should seamlessly work with and comply with existing security standards.”
Drolet notes that Gartner projects 45% of organizations will experience an attack on their software supply chain by 2025—an almost threefold increase from 2021.
“In light of these new developments, it is extremely critical for organizations to prioritize security in their vendor management,” she said.
Still, Khalap said many organizations are unprepared for the risks inherent in digital ecosystems. “Organizations are often taking major risks simply by doing nothing, or by doing the wrong things,” he said.
For instance, Khalap said, TCS has observed companies in manufacturing and technology frequently sharing intellectual property with their global ecosystem partners or suppliers while being unable to address the risks associated with that sharing or failing to enforce controls aimed at reducing those risks.
“When third-party vendors are brought into the equation, it gets murkier, and the risk quotient jumps up several notches,” Khalap said. “We’ve seen several incidents where a cyber-attack or a data breach was traced back to a vulnerable system which was owned or managed by an external vendor.”
Khalap said organizations often do not gain an appreciation of their digital assets until they are at risk or in a crisis.
“The first step toward an effective defense is understanding the value of what you’re defending—and investing accordingly,” Khalap said. “Yet, too many organizations fail to execute a proper asset discovery framework when it comes to digital assets, intellectual property, customer information and other critical elements.”
Khalap said TCS’s research has demonstrated that business leaders see continued growth and profitability stemming from new collaborators, fresh digital offerings and new ecosystems, while not also prioritizing threats from associated vulnerabilities within the value chain beyond their organizations.
In fact, just 16% of chief risk officers and chief information security officers ranked digital ecosystems as a concern when assessing expected cyber targets, according to the TCS Risk & Cybersecurity Study.
“Most organizations have a vendor management process which focuses on goods or services, quality and financial aspects but misses out on IT and cybersecurity controls,” Khalap said.
Managing vendor relationships
When evaluating and managing vendor relationships, Martucci said companies should consider if a vendor is aligned with their security strategy.
“Do they integrate well with your existing security standards?” he said. “What does their disaster recovery look like versus your organization’s? What security assurances are provided by your vendor and for how long?”
Drolet said the key ingredient to managing the cyber risk of third-parties is maintaining “granular visibility” of the level of risk a supplier brings to a relationship.
“As a best practice, organizations must routinely rank vendors based on risk attributes—criticality, access levels, operational, financial, regulatory, privacy, environmental, legal, risks from their own suppliers, etc.—from the time a vendor is onboarded to the time their partnership is terminated,” Drolet said. “Critical suppliers must be assessed against industry baseline standards; they must ideally follow the same security approaches as the parent organization, so that the entire ecosystem can achieve a uniform level of security.”
Khalap said vendors should be categorized based on risk. When calculating risk, parameters should include intellectual property shared, type of data shared, volume of data shared and regulations governing the data, he said.
Khalap recommends grouping vendors based on the type of service they provide, such as indirect suppliers, direct suppliers, suppliers who process data, etc., and then listing common risks associated with each category and documenting common controls for each category, assessing the risk for each vendor in that category.
Industry Workforce Solutions is working with the National Minority Supplier Development Council to provide a five-week program to the council’s more than 15,000 businesses to help increase their cyber capabilities and resilience. Gonzalez-Gaboyan said suppliers increasingly must meet high cybersecurity standards to secure work, providing a major source of motivation. For instance, she pointed to the federal General Services Administration, an influential and massive purchaser of products and services, requiring suppliers to meet minimum cybersecurity requirements.
“We’re going to start to see that more and more, and it’s going to close the window for some businesses,” Gonzalez-Gaboyan said. “It’s really a call to action.”