We’ve entered Week #3 of National Supply Chain Integrity Month, an initiative that CISA and other government agencies started to highlight the importance of securing our nation’s most critical systems and ensuring they stay resilient. For Weeks #1 and #2, I wrote about maturing your third-party risk management program and securing the small business supply chain. This week’s focus is about improving trust with your vendors and acknowledging that when a supply chain incident occurs, everyone suffers: buyers, suppliers, and users.
The importance of cyber resilience in supply chain risk management
According to the World Economic Forum’s most recent annual cyber outlook report, 90% of business and cyber leaders are concerned about the cyber resilience of third parties. And 54% of organizations report experiencing a breach through a third party. In addition to the evolving nature of cyber threats, technology stacks are expanding and the use of third-party vendors is growing at a high rate, introducing more risk into the environment. Only 34% of organizations are confident their suppliers would notify them of a breach that could put their business at risk.
The third-party risks grow more significant as networks and supplier ecosystems continue to expand. Organizations struggle to continuously monitor their digital footprint and attack surface across their vendor and supply chain ecosystem, especially without additional hiring that shrinking budgets can’t support. Organizations must have the right resources to understand not only their immediate supply chain, but also the extended supply chains of vendors and suppliers.
Establish due diligence and ensure compliance
As the global attack surface continues to expand, it’s important to take procurement seriously, so that organizations know their vendors and suppliers—because after all, their risks are your risks. Managing contracts and compliance requirements is a good place to start when trying to handle business ecosystem risk. Before signing contracts, organizations must establish clear guidelines on due diligence to ensure their partners are dedicated to meeting their cybersecurity standards. This includes a more controlled and restricted access to data for third parties.
Manage supply chain risk with automated questionnaires
Too often, supply chain risk is managed through the deployment of paper-based security questionnaires issued by purchasing departments to assess security controls in place at organizations they do business with. These questionnaires are typically filled out manually and provide little insight into the real-time risks that organizations face and are remediating.
Among the many services we provide, SecurityScorecard makes automated questionnaires available to our customers and partners to ensure that every party is aware of the ever-evolving nature of risk. We also help organizations map supplier relationships and gain visibility into the risks those entities face and bring into organizations’ networks. As I’ve mentioned in previous blogs, organizations are only as strong as their weakest links. Building resilience into your supplier ecosystem is foundational to maturing every organization’s cyber posture.
The growing regulatory landscape
We see increased efforts to use data to both monitor and communicate with vendor ecosystems to remediate the types of risks we see through our global collection efforts. Using the type of data mentioned above, organizations are able to push suppliers to resolve significant cyber hygiene risks. And increasingly, we are also seeing regulatory and sectoral risk agencies using this data to make decisions about cyber risk efforts across their ecosystems.
As Congress and the Sector Risk Management Agencies of the US government look deeper into supply chain risks, we anticipate greater pressure on organizations of all sizes to provide greater transparency into the risks in their supply chains and the efforts they are taking to address them.
How SecurityScorecard helps supply chain risk management
The increasingly global nature of cyber risk necessitates that collective approaches are taken to drive greater awareness and defense against emerging threats. Today, SecurityScorecard supports dozens of organizations with cross-domain responsibilities for diverse sectors of the economy.
Stay tuned for next week’s blog—the final installment in our Supply Chain Month series—which will focus on recognizing and mitigating supply chain threats. As we move forward to operationalize greater supply chain transparency, we encourage everyone to check out their own SecurityScorecard and use the insights provided across your ecosystem to demonstrate meaningful progress.
