Learning Center June 28, 2021

What is the ICT Supply Chain? Things Your Business Needs to Know

Cyber attacks and data breaches are top of mind for businesses around the world as attacks on vulnerable networks persist. It is more important than ever to ensure cyber security and resilience programs are in place for your business and third-party suppliers.

The information and communications technology (ICT) supply chain is a globally-interconnected ecosystem that involves CT software, hardware, and services including suppliers, vendors, and contractors. In this post, we will answer the most common questions surrounding the ICT supply chain and how businesses can better manage and secure their ecosystems.

Let’s take a closer look.

Discover how your organization's cybersecurity stacks up against competitors.

What is the ICT supply chain?

The general definition of a supply chain is the acquisition of resources and materials, the combining of these raw resources and materials into a product, and the delivery of the product to the end consumer. In other words, it’s how raw materials are transformed into a final product. Different links in the chain may involve extraction, design, manufacturing, logistics, and retail sales.

As an example, consider the supply chain for microchips. It starts with using raw materials to form pure silicon wafers, the creation of semiconductor designs using computers, the acquisition of semiconductor machinery, and the fabrication of semiconductors on the silicon wafers. This process is then followed by the assembly, testing, and packaging of the product. These microchips are sold to electronics manufacturers who use them in the design of other products — like smartphones — that are finally sold to the end consumer. Between each step of the chain, the product often must physically be transported from one location to the other, which also involves logistics.

The ICT supply chain specifically refers to the chain of actions that transforms raw resources into ICT products and services such as computer hardware and software, applications, and cloud subscriptions. In some cases, this supply chain relies on the physical movement and manufacturer of objects (such as microchips). In other cases, it relies on distribution and access to services via telecommunication infrastructure — cables, the internet, the cloud, etc.

Who is an ICT supplier?

An ICT supplier is any business that offers ICT products or services to individuals or other organizations. It includes providers of electronic components or the raw materials used to produce those components. It also includes software and cloud providers as well as managed services. The following list provides a general overview of what is included under the ICT supplier umbrella:

  • Software developers

  • Computer manufacturers

  • Microchip manufacturers

  • Cable and fiber manufacturers and installers

  • Cloud providers

  • Software-as-a-service providers

  • IT education providers

  • Platform subscription providers

  • Tech support providers

  • Cell phone service providers

  • Internet service providers

  • Managed security services providers

  • Technology repair services

What is the role of procurement in the ICT supply chain?

Procurement refers to the acquisition of products and services. The first step in ICT procurement is identifying an appropriate supplier or vendor. If done properly, it involves more than just picking a vendor that offers what you need based on sticker price. Due diligence in procurement requires assessing the potential risk associated with each vendor (and their ecosystem) as well.

When it comes to sourcing physical items and parts, assessing risk means ensuring the provider isn’t likely to encounter shortages of any items that are critical to your business. When it comes to sourcing ICT services such as security monitoring or software, then you will also need to perform due diligence to make sure the supplier in question is compliant with applicable frameworks and has measures in place to protect against a supply chain attack or data breaches.

Once you’ve identified the suppliers you want to work with, you will need to handle the logistics of procurement — that is, transporting physical objects or successfully integrating software products. The final piece involves paying for those goods and services and maintaining a positive relationship with the supplier to ensure smooth operations moving forward.

What are the risks associated with the ICT supply chain?

Because the ICT supply chain relies not just on trucks, trains, and manufacturing plants, it is subject to risks associated with cyberattacks, misconfigurations, and zero-day exploits. While these same threats can also impact the general supply chain — think of the Colonial Pipeline ransomware attack in 2021 as an example — they are even more critical when the product moving through the chain itself can become corrupted.

In fact, 65% of cyber-attacks today are the result of vendor negligence. Consider, for example, the SolarWinds attack of 2020: 18,000 SolarWinds customers ended up downloading compromised versions of software for almost a year, and 400 of those suffered an attack as a result. In late 2021, Kronos, a provider of workforce management software used by tens of thousands of businesses, suffered an attack that left many of its customers unable to process payroll and perform other services using their software.

Such attacks can cause all sorts of problems for your organization, including financial and legal liabilities if your clients’ and customers’ data becomes compromised.

How to secure the ICT supply chain for your organization

Mitigating the risk associated with the ICT supply chain requires visibility into each vendor’s technology ecosystem and the ability to continuously monitor for changes. The act of assessing and managing risk associated with vendors and third-party suppliers is called Third-Party Risk Management (TPRM).

SecurityScorecard helps you understand the security posture of your vendors first by providing ratings on an A-F scale that indicate risk on a high level. From there, your business can have a complete and transparent view of your vendor ecosystem that helps drive targeted supply chain discussions and streamline vendor risk management workflows. You’ll have the ability to set compliance goals, track ongoing compliance and progress, and build trust. Request a demo today to learn more.