As companies were forced online in recent times, most re-assessed their Business Continuity Plans (BCP) and Cyber-Resilience Programs to come to terms with the new normal of putting even critical information on the internet to ensure business continuity. While most companies have an internal BCP (and in most cases a Cyber-Resilience Program), very few companies involve their supply chain. This has given rise to the number of cyber-attacks that come through the supply chain (third-party attacks). Third-party attacks get worse when vendor/supplier relationships are terminated without the proper information and cyber risk procedures that must be outlined in the contract as part of the termination clause. For example, data/information destruction procedures and verification.
This article draws on existing literature to unearth the importance of a supply chain-wide Business Continuity Planning and Cyber-Resilience Program aimed at protecting companies from all critical angles.
Recent cyber-attacks have pointed to the ever-increasing need to pay attention to third-party risk. Third-party attacks occur when an attacker is able to infiltrate an organization’s systems through its supply chain partner (vendor or supplier), who has access to the organization’s systems, information, and data. This has caused a widening of the attack surface to areas where organizations have little to no control.
A good example is the 2014 Target breach and the 2019 Equifax breach, where security breaches occurred through third-party vendors. Another good example is the Verizon breach caused by their analytics services provider and involving the leakage of six million customer records (account and personal information). The provider put 6 months of customer service logs on a public Amazon S3 storage server. [What is a supply chain attack? Why you should be wary of third-party providers. (2019, January 25); www.csoonline.com].
As we move our applications and systems closer and closer to the cloud, third-party risk management has become ever so important to ensure the availability, confidentiality, and integrity of our information and data that sit with them. The diagram below is an example of the complex tier of supply chain partners for a typical organization.
Figure 1: A typical organization’s supply chain ecosystem
How to involve those close to you
Third-party risk is a business risk that needs continuous management. To ensure that this business risk is mitigated and controlled, the following measures are recommended.
1. Proper oversight of third-party cyber risks beyond compliance: National Institute of Standards and Technology (NIST) recently introduced a cyber supply chain risk management (SCRM) as a critical organizational function in the NIST cybersecurity framework version 1.1 (www.nist.gov). Notwithstanding, to ensure proper oversight, some companies require their suppliers and vendors to do the following:
a. Sign Service Level Agreements (SLAs) that demand a level of security compliance commitment from supply chain partners; even to the level of particular security controls to adopt.
b. Perform self-assessments and audits and share the results with the client
c. Allow customers to perform their own penetration testing on their data and it’s level of protection in the vendor environment
d. Invest in employee cyber awareness training programs to convert supplier/vendor employees from susceptible/oblivious targets to cyber-aware custodians for the entire supply chain.
e. Purchase cyber insurance
2. Alignment & Synchronization: Developing a collective strategy with your vendors and suppliers will ensure a common cybersecurity culture, shared norms, and processes in protecting the entire supply chain and in responding to incidents. It also offers a tool for effective information sharing and a synchronized response when one partner in the supply chain is attacked. Shared knowledge which includes the sharing of experiences among supply chain partners helps to improve post-incident strategies for all involved.
The challenge with involving supply chain partners as prescribed above is becoming too paranoid with protection and eventually restricting easy business flow. Also, a company may have up to 4 or 5 tiers of suppliers and vendors, a large number of upstream players in their supply chain, adding to the complexity of implementing such initiatives. How deep are you willing to go in ensuring supply chain risk oversight? The solution to this challenge lies in identifying your critical supply chain link.
To identify the critical link, you need to know who has access to critical information, systems, and critical data through tools such as big data analytics and/or penetration testing. Partners in this critical link should be involved from the onset in the design and implementation of the adopted Cyber-Resilience Program for the entire supply chain for enhanced resilience and a long-term adaptive capacity [Managing cyber and information risks in supply chains: insights from an exploratory analysis. (2019, March 11). www.emerald.com]
It is also recommended to explore the trade-off between cost, efforts, and benefits, related to the adoption of specific initiatives for the supply chain. The introduction of third-party risk regulation by governments would also help manage the trade-off. With these, vendors and suppliers can manage their relationship and cost when they find themselves as a critical link to multiple clients. One such regulation could see an independent audit firm or group of firms certify a vendor or supplier’s third-party cyber risk status on a regular basis so that companies who choose to do business with them can manage their business risk.
Third-party cyber risk management has become ever so important to ensure cyber resilience and business continuity in the whole supply chain.
With the existence of little to no third-party cyber risk regulation, it is important that companies adopt effective strategies, some of which have been outlined in this article, to protect the whole supply chain and ensure the availability, integrity, and confidentiality of information and data for business continuity. Whiles doing so, companies should find the right balance of cost, effort, and benefits so as not to stifle the business flow.
The fast-tracking of third-party cyber risk regulation is encouraged to help in this regard and also to provide smaller vendor and supplier organizations with a competitive edge.
Author: Kwadwo Akomea-Agyin; | Digital Solutions Expert & Business Analyst |
For comments, contact email: firstname.lastname@example.org | Skype: Kwadwo_2010 | LinkedIn: Kwadwo Akomea-Agyin, PMP, MRes.