Nowadays, it’s almost impossible to run a business without the help of third-party suppliers to assist in the delivery of your products, systems or services. Working with external partners can come with a host of benefits, including more streamlined and efficient processes to meet heightened customer demands. At the same time, new entities can bring new risks, especially in the realm of cybersecurity. When companies come together and share information, one company’s risk becomes that of the entire chain.
Supply chain cyber attacks have been on the rise, with a 42% increase in the U.S. during the first quarter of 2021. Attacks of this kind are especially popular for cybercriminals, since they provide an opportunity to infiltrate an entire web of organizations through a single third-party supplier.
Fortunately, as with any type of risk, there are ways to manage these threats before they present an issue. Following are a few key actions your business can take to minimize the chance of an attack on your supply chain.
Carry out risk assessments. When entering into new supplier relationships, it’s important to make sure you know where they stand with regard to cybersecurity. What controls do they have in place? What processes and policies are used to ensure data is well protected? If you’re sharing any kind of data with your suppliers, especially sensitive customer information, you want to know it will stay secure.
It’s also a good idea to consider how major the supplier relationship will be overall. Will it be part of your immediate supply chain, or assist on an ad hoc basis? All partners will need to be vetted, but those playing an integral role in your supply chain will carry more risk and warrant more caution.
Set security requirements. To encourage a transparent relationship with your suppliers and set clear expectations between you, it can be useful to draw up a supplier policy.
With such a document, you can dedicate sections to cybersecurity and data protection, outlining which level of security your suppliers should be able to demonstrate. One of the easiest ways to do this is to ask your suppliers to align themselves with an existing set of cybersecurity standards and certifications. In the U.S., popular ones include ISO 27001, which is internationally recognized, and the NIST framework. In the U.K., the government’s cybersecurity standard, Cyber Essentials, helps companies reduce 80% of risk by aligning with five critical technical controls. Complying with these standards can be an easy way for your suppliers to demonstrate a good cybersecurity posture.
When making any security requirements of your suppliers, it’s best practice to ensure your own business is already meeting them. By participating in a supply chain, you connect yourself with everyone else in it; any improvements you make to your own security postures will only strengthen the overall chain.
Implement cybersecurity training. Human error is still the number-one cause of cyber attacks. As such, it’s one of the most vital elements to address. While you should always be working to foster a culture of cybersecurity awareness within your own company, this practice should be encouraged throughout the supply chain as well.
Consider sharing resources with suppliers to help them educate their employees around cyber risks. There are numerous free online exercises and articles offering guidance to businesses.
Secure data transfers. Data within the supply chain has to be transferred via secure channels, and protected at all times. Hackers are most likely to intercept data while it’s moving from one place to another, making it all the more important to maintain good security during this process. Encrypting data before transferring it is an excellent way to minimize this risk.
Companies should also make sure they have a complete picture of the different kinds of data living in their supply chain, and where it’s all located. That includes internal data (plus backup systems) and the data your suppliers have access to. This information will likely vary in sensitivity. Some of it may be highly sensitive, while other information is publicly accessible. You can help prevent data from falling into the wrong hands by classifying and labeling it correctly, so you know where the most valuable information is located.
Remember that you’re someone’s supplier, too. More often than not, a hacker will target a small business to access the rest of its supply chain, expecting its cyber defenses to be minimal or non-existent. We saw this in one of the first major supply chain attacks to hit the media in 2013, when a third-party contractor working with Target was compromised, allowing hackers to steal millions of customer credit card details from the retailer’s internal network.
Small businesses not only need to consider the security of their suppliers, but must also maintain a high standard of cybersecurity to convince bigger partners that they aren’t a security risk. Many companies, especially in the public sector, are now requiring that certain security standards are met by all their suppliers before securing contracts with them.
Managing cyber threats within the supply chain doesn’t have to be a daunting task, but it’s important to take responsibility for your own risk and maintain consistent standards for cybersecurity. It’s in every business’s best interest to understand the security processes, policies and solutions of all partners. Not only do these steps reduce risk for the entire supply chain, they also demonstrate to clients, partners and stakeholders that their secrets are safe with you.
Clive Madders is chief technology officer with Cyber Tec Security.
Timely, incisive articles delivered directly to your inbox.