The third-parties that comprise your organization’s supply chain allow your company to lower costs, innovate rapidly, and work more efficiently and effectively. They’re your cloud hosting providers, your manufacturers, your vendors, your service providers, and any other supplier that helps your organization build, sell, or distribute your information technology product.
They make doing business easier. Unfortunately, they also expose you to risk. According to the National Institute of Information Technology (NIST), the factors that allow for low-cost, interoperability, rapid innovation, a variety of product features, also increase the risk of a compromise to the cyber supply chain. Supply chain risk can include anything from physical threats like unauthorized production to digital ones, like a breach of your cloud hosting provider’s servers.
This can mean risk for your customers or a breach of your organization's data; and that’s a big, expensive problem; data breaches caused by third-parties increase the cost of a data breach by an average of $207,411, according to the Ponemon Institute’s latest Cost of a Data Breach report. This is why cyber supply chain management is so important for organizations that rely on digital third-parties.
What is cyber supply chain management?
Cyber Supply Chain Risk Management (C-SCRM) is the process of ensuring the integrity of your supply chain by identifying, assessing, and mitigating the risks associated with information technology product and service supply chains. It’s also important to note that although we mainly talk about digital threats on this blog, C-SCRM can (and should) apply to both hardware and software.
Because supply chain risk can compromise your product at any stage of its existence (think of your product being hacked while in the hands of a customer because of a supply chain vulnerability) supply chain management doesn’t just cover the building and distribution of your product. You’ll be managing the supply chain that follows your product through its life cycle: design, development, distribution, deployment, acquisition, maintenance, and destruction.
So how can you best ensure the safety and security of your supply chain?
Best practices for managing your cyber supply chain
1. Remember: C-SCRM is not just an IT problem.
When it comes to your cyber supply chain, cybersecurity isn’t necessarily separate from physical security. Cyber supply chains touch all parts of an organization, so don’t make the mistake of thinking that C-SCRM belongs in the purview of the IT security team. Risks can come from many different places, from physical sabotage to digital risk to (most commonly) human error. If you concentrate only on digital security, you’ll be missing important information about the threats to your supply chain.
2. Your C-SCRM program should be organization-wide.
Just as C-SCRM isn’t just a technology issue, nor should it be limited to one department. Security and risk is everyone’s job. Effective ICT SCRM is an organization-wide activity that involves every single part of an organization.
3. Know your critical systems.
Do you know the systems you need to protect to secure the supply chain? When you have a clear idea of which systems need to be protected, you’ll have a better understanding of exactly which steps you'll need to take to secure them.
4. Assume it will happen.
No one likes to think a breach will happen, but assuming a breach is inevitably going to happen allows you to assess the impact of a breach on your systems. Once you understand how badly you’ll be impacted, you’ll have a better idea of how to mitigate that impact if and when a breach occurs.
5. Know your risks and threats.
When you don’t know your risks, it’s hard to plan countermeasures that will prevent or mitigate threats. Make a list of every scenario that might endanger your supply chain, and work through each, starting with the most likely and the scenarios with the highest impact.
6. Monitor your vendors continuously.
Working with third-parties removes some of the control you have over the countermeasures and security controls that impact your supply chain. You may feel you don’t understand the risks they face, or that you’re unable to verify and monitor your vendors’ security controls. This is especially true if you’re using traditional third-party monitoring, like questionnaires. Static monitoring isn’t enough to protect your data and networks from the bad actors that may be targeting your supply chain. For one thing, static monitoring creates a snapshot of your suppliers’ controls at a specific moment in time — perhaps all their software is patched now, but what about tomorrow? Questionnaires also create an administrative burden for your team. Continuous monitoring is the best, most efficient, way to manage your third-party relationships and ensure your data is consistently protected.
How can SecurityScorecard help?
SecurityScorecard’s Atlas is an intelligent tool that streamlines your vendor risk assessment process. Using our platform, your organization can upload vendor responses to questionnaires. Atlas’s machine learning compares their answers to previous questionnaires and the platform’s analytics, verifying responses almost immediately and alerting you to any issues immediately so you can take action and secure your cyber assets.