Earlier this year, a bank in Australia was breached during a server upgrade. Cyber criminals stole identifying, as well as financial, information not through the bank, but through a third-party hosting provider. A few months later, a major hotel chain was breached through third-party software, exposing the records of millions of customers. Around the same time, several defense contractors were breached when a vendor fell victim to a ransomware attack.
What do all of these companies have in common? They were all attacked through their digital supply chain.
What is the digital supply chain?
Companies don’t always mean the same thing when they talk about the digital supply chain. Some organizations may use the term to refer to the digital processes associated with their physical supply chain. Others might be talking about their extended enterprise: the digital vendors and partners that deliver digital products. Still others might use the term to mean something completely different, like digital processes that have replaced analog ones.
The foggy definition of the term means that digital supply chain management will also have a different meaning, depending on the company. For the purposes of this article, however, we’ll focus on the first two definitions, which are more relevant to supply chain management.
1. The digital supply chain as part of the physical supply chain
Companies with physical inventory, warehouses and manufacturing sites often have digital infrastructures as well as their physical one. Sensors on pallets, factory equipment, the Internet of Things (IoT), and Artificial Intelligence that helps with predictive analytics – all of these technologies can enhance and improve a physical supply chain.
McKinsey calls this Supply Chain 4.0; it’s a vision of the physical supply chain of the near future, complete with self-driving delivery trucks, predictive analytics driving ordering, and drones making delivery. (It’s helpful to understand that this paper was written in 2016, when IoT, machine learning, and autonomous vehicles were near the peak of the Gartner Hype Cycle.)
This might not be exactly what the supply chain looks like now, but the COVID-19 pandemic forced organizations to accelerate their use of technology when it comes to supply chains — Nike, for example, used a digital platform to divert stock from stores that were closed during lockdown to fulfillment centers. Other companies are finally embracing blockchain technology as a solution to last-mile order fulfillment.
2. The digital supply chain as a chain of businesses delivering digital products
Just as a chain of suppliers is necessary to create and distribute a physical product, a chain of suppliers is necessary to build and deliver digital products.
A company that develops software often works with an extended enterprise made up of vendors, partners and other third-parties: cloud storage, QA testers, contractors, and other suppliers can be part of the supply chain for such a company. Any digital supplier that helps your organization build, sell, or distribute your product is a part of your digital supply chain.
What are the risks to the digital supply chain?
There are a number of risks to the digital supply chain, whichever definition you use. Physical supply chains that use the IoT are susceptible to hacks, for example. According to a study from Ponemon, while encryption is increasing in industries like freight and manufacturing, 60% of the companies surveyed reported partial encryption of their IoT and 61% reported partial encryption of their IoT platforms.
Far more concerning, however, are threats to the extended digital ecosystem of an organization. The third-party companies in your supply chain aren’t your employees; they’re often not on-site, and you can’t force compliance the way you can with employees. This is cause for concern; data breaches caused by third-parties amplify the cost of a data breach by an average of $207,411, according to the Ponemon Institute’s latest Cost of a Data Breach report. Vendor information security controls are more difficult to verify (if you’re using questionnaires, you may just have to take your vendors’ word), take longer to identify and may take a longer time to correct.
Despite the fact that third-party information risk is a very real threat, many organizations are not prepared for a data breach from their supply side. According to Protiviti’s 2019 Vendor Risk Management Benchmark Study, just 40 percent of organizations have a fully mature vendor risk management process in place. A third of the respondents to that study reported no risk management program at all, or an ad hoc risk management process.
How can you manage risks to the digital supply chain?
Knowing your extended ecosystem isn’t as easy as it sounds. While you may know who your suppliers are, you might not know who their suppliers are. Or you might feel you’re unable to verify and monitor your vendors’ security controls.
If that’s the case, it’s probably time to reevaluate your vendor management system. Traditional static third-party monitoring, like questionnaires, aren’t enough to protect your data and networks from the bad actors that may be targeting your supply chain. For one thing, static monitoring creates a snapshot of your suppliers’ controls at a specific moment in time — perhaps all their software is patched now, but what about tomorrow? Questionnaires also create an administrative burden for your team. Continuous monitoring is the best, most efficient, way to manage your third-party relationships and ensure your data is consistently protected.
SecurityScorecard’s Atlas is an intelligent tool that streamlines your vendor risk assessment process. Using our platform, your organization can upload vendor responses to questionnaires. Atlas’s machine learning compares their answers to previous questionnaires and the platform’s analytics, verifying responses almost immediately and alerting you to any issues immediately so you can take action and secure your cyber assets.