Supply chain cybersecurity: Pain or pleasure?
Whatever sector your business operates in, you will depend on third parties to provide you with goods and services to support what you do. Whether you are a small printing services company working with an accountant or an organization with a full manufacturing and distribution supply chain, suppliers are important to your daily operations and will all on some level interact on site or digitally with your business, and this makes them a risk vector.
Companies deal with these risk vectors by restricting the access these individuals have, such as stopping them gaining access to certain areas, or using network and IT resources. Yet, while it is common for IT departments to assess the official suppliers that a company might use for areas such as cloud services, it remains a longstanding business challenge to monitor the cybersecurity risks from suppliers across a company’s whole supply chain.
At a fundamental level, to mitigate cybersecurity risk, a company must be assured that every supplier they work with is on top of protecting the security of the data, and the availability of the services with which they are entrusted. Cyber attacks have become so advanced that the starting point of an attack is often not the primary target, but the weakest part of the underlying supply chain.
Assessing the risks
Many organizations use manual processes for their cybersecurity based supplier assessments, sending spreadsheet, Word, or PDF questionnaires by email, but this quickly becomes a cumbersome manual process, and itself can be regarded as a cybersecurity risk. Mistakes happen, processes become drawn out, and it is very easy for suppliers to not be checked at the frequency they should or be forgotten altogether.
Of even greater risk is that manual processes make it harder for organizations to gain an overall picture of where cyber risks sit in the supply chain. If data is not collated and assessed regularly, then a supplier failing to meet a requirement may go unchecked. Worse still, systemic risks across the supply chain may leave the organization exposed to a catastrophic cyber event. When such an event occurs, it is already too late.
Whether cybersecurity, financial or other regulatory controls, organizations need a more reliable approach to reduce risks associated with suppliers, vendors and other third parties.
A standardized, automated approach
A good framework for supplier assurance requires procurement teams, IT teams and other departments to work together to ensure they understand each other’s domains, objectives and responsibilities in terms of cybersecurity and regulatory compliance. A starting point is for them to jointly develop Supplier Impact criteria that systematically assess how much inherent risk every supplier or third party may have in that department’s sphere.
Each supplier can then be measured against these criteria, and their supplier impact level established. A different approach for each level of impact should be agreed jointly and completely standardized across the organization.
For example, for suppliers with a Very High impact, the supplier should be expected to demonstrate a high level of internal controls. With cybersecurity, for example, this means obtaining or working to achieve high standards such as ISO27001, IASME Governance or NIST. It is the supplier’s responsibility to show a serious level of control rather than the hard-pressed cybersecurity team’s responsibility to dive into hundreds of hours of audit work. These standards also have the benefit of being easy for a non-cyber specialist to determine if the standard is present or not.
Where a technical assessment or test is needed, such as a penetration test by a credible third party, then the supplier assurance team can be responsible for making sure that this takes place – handing over the responsibility to the cyber teams or external testers where needed. This “management of risk” role cannot be handed over though, as tempting as it is when the talk gets incomprehensibly technical.
The approach at each level of supplier impact should also include ongoing assessments. A lot of companies think “assure when you procure” is enough. But with the pace of modern business and the speed of change, there must be a regular assessment routine to stay on top of the risks. Again, the supplier assurance team can timetable and manage these ongoing reviews and focus on the governance of third-party risk – whether cyber, continuity, financial or regulatory – but executed by those with the domain expertise to speak with their counterparts in the supply chain.
Taking the pain out of supply chain cybersecurity
Taking a formulated and strategic approach to managing supply chain cybersecurity and wider compliance issues, creates an environment where the different teams involved in supplier risk start to use shared information systems to record and visualize supplier risks.
Introducing an online platform to automate supplier assurance makes the whole process efficient and more secure. Users have a single source of information and can create impressive supplier scorecards showing a combined view of financial, cyber, GDPR, Slavery and other risks all on one simple chart for each supplier. This provides a shared understanding of the totality of risk from each supplier and helps specialist teams – such as IT and the supplier assurance team – to understand how their worlds fit together.
By formalizing supplier assurance processes and using technology to facilitate their execution across all domains, cyber assessments become part of the rhythm of the whole supplier management process. In this way, companies can have confidence in the strength of the supply chain, mitigate cyber risks and take a lot of the pain out the experience.