Ahhh the joys of supply chain risk management. It is a complex beast with many heads, each focusing on the problem from a different operational standpoint.
The goal is of course to build and maintain a resilient system of checks and balances so your organisation’s supply chain is healthy and operating at an acceptable level of risk.
If this sounds easy to you, I am willing to bet you’re a theoretical expert.
Sadly, it is not simple, nor is it straightforward. However, it certainly is possible, and an absolutely vital component to your security arsenal because it dramatically reduces the risk profile of your organization.
That’s why simply hiding away from this issue is not a recommended option, because it will only end up biting you in the you-know-what.
The complexity is intensified because it is a chain. Your service providers also have service providers, who also have service providers, and so on. Without safety nets in place, the whole lot could tumble one after the other like a row of dominoes.
Take a moment to consider these questions:
- Do you know which third party service providers you partner with?
- What third parties do your third parties partner with?
- Which systems and access rights does each third party have? And vice versa.
- What security policies, procedures and safeguards does each third-party service provider currently follow when purchasing services or hardware? How does it align with your security architecture?
- How confident are you that they have a secure product life cycle?
- How will you avoid being vulnerable if one of your service providers falls victim to an attack?
- What data is collected and processed by each third party? How is it secured against unauthorized access?
- Do they perform employee background checks?
- What is their quality assurance process and testing methodology?
- Do your third-party suppliers share their disaster recovery plans?
These are just a few of the numerous considerations an organisation needs to think about prior to establishing a relationship with a third-party supplier.
But who within the organization needs to be involved? Due to the complexity of supply chain risk management, a team comprised of different departments needs to be involved, including legal, research and development, IT, purchasing, finance, etc. Having so many departments at the table, all of whom have a unique set of objectives, means efforts can easily get thwarted by lack of communication, lack of planning or lack of expertise. Having an experienced leader in securing the supply chain can simplify the process and ensure it stays on track.
There are some universal approaches to managing the risk of the supply chain, backed by best practices. These include:
- Security requirements are detailed in both proposals and agreements.
- Collaborate with service providers on cybersecurity to address any uncovered security issues.
- Source code is provided by third-party service providers for inspection.
- Use track-and-trace programs to identify and authenticate components.
Not sold on the importance of supply chain management? Consider that many cyber incidents involve third parties. According to NIST, 80 percent of information breaches originate in the supply chain. 80 percent!
To manage these risks, we recommend your security procedures include vendors and business partners, and you create a holistic and end-to-end supply chain risk management strategy.
And let’s not forget about looking in a mirror. Does your organization do everything possible to mitigate risk originating from your own staff, processes and technology?
Want some more information? See below. Or get in touch. We are here to help.