Article

Supply Chain Cybersecurity: How to Mitigate Third-Party Threats and Reduce Organizational Risk

calendar iconFebruary 3, 2021

The way we think about supply chains has changed. Faced with the localized and systemic disruption of the pandemic, organizations across sectors have shifted their focus from efficiency and streamlining to resiliency and agility. Almost universally, this has meant establishing systems that allow employees to work productively and securely from remote locations. Meanwhile, many have also sought to expand their supplier network, providing more options to keep trading during the crisis and ensure they’re better able to deal with any similar challenges in the future.

Yet as is often the case, acting to mitigate one risk, opens up the possibility of other potential risks. Larger businesses may be better equipped to handle unforeseen threats than smaller businesses, however, the more companies in your supply chain, the more IT systems and increased risk. And more IT networks and systems equals more potential entry points for attackers without the proper defenses in place.

Clear and Present Danger

This threat is real – and no organization is immune to the possible ramifications of a breach in terms of service delivery, reputation, customer experience, and even the financial penalties. Just last month we saw SolarWinds, one of the most competent and reputable technology companies in the world, become the latest high-profile victim of a successful cyber-attack.

For SolarWinds itself, the impact has been significant, yet the true effects have reached much further. Malware placed in the company’s distribution repository was download by an estimated 18,000 of its customers, including many key government agencies and a number of major companies, including Microsoft, Cisco, and FireEye. They have consequently found their own systems at risk.

Companies therefore need to understand the risks in their supply chain and invest in identifying, designing, implementing, and maintaining controls that mitigate them. Likewise, suppliers must be open in communicating how they manage their production and distribution risk in order to reassure customers and partners.

Four Steps to Take Action Now

How can your company reduce the likelihood of being compromised by a cybersecurity breach, either within your own systems or those of a third-party? The key is to proactively address the threats in your supply chain rather than simply react to them if and when they arise. Here are four things you can do right now to keep your organization as well-protected as possible.

  1. Conduct a Risk Assessment

Review your supplier list and rank them according to how critical they are to your ability to deliver products/services for your customers, while also considering the type of data they store/use. Then work down the list, starting with the most crucial, assessing what would happen if they were to suffer a breach. Would your own processes and systems be secure or at risk? Do you have a business continuity plan to cope if that supplier’s out of action? These questions need answering – and quickly.

  1. Commission a SOC Report

The System Organization Control for Supply Chain reporting framework (commonly known as a SOC for Supply Chain report) involves management making a formal description of your organization’s systems and security controls. This is then evaluated by a certified public accounting firm, such as Cherry Bekaert. A SOC report can be valuable in providing the appropriate transparency to customers, partners and regulators in an effort to assess the maturity of the supply chain risk management program. Meanwhile, any suggested areas for improvement can act as a roadmap for further maturity as you build a supply chain risk management program robust enough to address risk related to the current threat landscape.

  1. Get Leadership Buy-in

You must allocate ongoing human and financial capital resources to maintain your company’s risk management program. This means getting buy-in of leadership, and clearly explaining the severity and evolving nature of the threat. Without management backing and investment, it’ll be hard to establish the right cybersecurity tools and methodologies to keep your organization protected. Here, too, a SOC report can be highly useful, starkly highlighting any potential gaps and convincing senior leaders of the need for action.

  1. Never Stand Still

The coronavirus crisis has left many businesses running to catch up with a new set of cybersecurity dangers. This, in turn, has made them even more susceptible to cyber-attack – an opportunity criminals are proving all too ready to exploit. Even if your own organization isn’t among them, some of your suppliers might be, as well as any new suppliers you may add to your network. Cyber-attackers are increasingly sophisticated in seeking out vulnerabilities; your defense, and that of your suppliers, have to be up to the job.

No matter how mature your supply chain risk management program, unless you comprehensively monitor, maintain and evolve it, it’s a bit like having Fort Knox-like prevention protecting the front, with a screen door at the back.

How We Can Help

Even when COVID-19 is behind us, the move towards a more remote workforce and diversified supplier network is likely to continue. Employee expectations of flexibility and remote-working have shifted, while many companies impacted by the pandemic will be eager to ensure they’re better prepared to navigate the disruptions of an increasingly unpredictable world.

The cybersecurity and supply chain risks that have accompanied this transformation are here to stay. After one of the most difficult years on record, only companies that do the necessary due diligence and take the right steps to strengthen their cyber defenses today can look forward to proper risk mitigation for a more secure and prosperous tomorrow.

To discuss how Cherry Bekaert can help you assess and improve the maturity of your supply chain risk management program or to discuss a SOC for Supply Chain Readiness Assessment, please contact Steve Ursillo today.