Rising inflation, surging commodity prices, an uncertain economic recovery and an ongoing Russia-Ukraine crisis — the global economy has had a pretty rough start to 2022. Against such a volatile backdrop, supply chain companies face enormous risks and significant pressure in terms of business disruptions, security and safety of infrastructure, theft or loss of confidential data and a barrage of cybercrime including ransomware and other forms of malicious cyberattacks. Security researchers have identified at least four different types of “wiper malware” (malware that wipes systems and destroys information) unleashed during the Russian conflict. The truth is, our world simply cannot afford another NotPetya type of cyberattack known to result in catastrophic collateral damage and a level of disruption capable of erasing up to half a year’s worth of profit or more.
Because our global economy is so tightly interwoven, cyber fortifications must not happen in isolation. Instead, they must encompass the entire cyber ecosystem, including that of supply chain partners and other layers like sub-suppliers. Organizations and suppliers together must form a collective resilience that proactively neutralizes cyber risks as they manifest. So what can organizations do to help mitigate potential risks and be better armed?
Consistently review supplier inventories. A key foundation of any resilience strategy is to understand the extent of exposure a business has from its supply chain. Visibility is critical and hence organizations must keep up-to-date details of the exact nature of services being outsourced (e.g., software design and build), the type of products being built by suppliers (e.g., hardware and networking products) and their key geographical locations. Technology must be harnessed as a means to alert key personnel when any unforeseen change in supply chain inventories and processes occur.
Perform routine risk assessments. Supply chain environments are continuously evolving and thus it’s important that organizations have real-time status on their cyber risk profile across the entire ecosystem. Organizations must monitor a variety of risks including security, privacy, financial, quality and geopolitical risk to name a few. Start by prioritizing suppliers based on their criticality and geographical location, for example, suppliers that belong in high-risk territories and are most vulnerable to disruption. Place particular emphasis on recently terminated suppliers or ones that were recently acquired; this is where a number of undefined risks could exist. Monitor changes in supplier status (such as legal, financial, ownership, production) and evaluate if their responses fit their own specific needs such as regulatory obligations, risk tolerance and operating environment. Maintain a watchlist of suppliers that have had issues in the past or ones that have high-risk exposure.
Focus on high-risk — or undefined risk — suppliers. Threat actors are known to actively target key suppliers. Large organizations rely on hundreds of suppliers every day so it's probably a good idea to focus on ones that present the highest amounts of risk. Critical suppliers must ideally abide by equal cyber standards as that of the parent organization to achieve a uniform level of security. Start by documenting supply processes and procedures and ensure all key contacts are kept updated. Organizations may also choose to deploy monitoring tools such as open-source intelligence to ensure SSL certificates are up to date and can perform non-intrusive surface scanning. Push vendors to prioritize prompt remediation of software vulnerabilities. Implement initiatives and frameworks to assess supply chain security such as supply chain levels for software artifacts (SLSA) and software bill of materials (SBOM).
Implement a process for terminating suppliers. Last year, 30% of businesses terminated partnerships with third-party vendors due to unacceptable cyber risks attached to them. In case a political or business decision is made to cease business operations in a particular territory, ensure that the supplier is terminated keeping security in mind. This includes deleting all information using data sanitation techniques, removing all physical and network access and revoking all user-access privileges including cloud-based shared data.
Practice your incident response plan. Always be prepared for a scenario where a key supplier is impacted or needs to be isolated especially during times of instability. Create workshops using various scenarios and run tabletop cybersecurity exercises with both internal stakeholders and suppliers. Establish protocols for vulnerability and incident notification with supply chain partners. Create collaborative roles, structures and processes for incident response in the supply chain. Collaborate on lessons learned and fine-tune joint processes as needed. Offer mentoring and coaching to improve their cybersecurity best practices and support them in developing their own incident response mechanisms.
The reality is that supplier disruptions are nothing new and the pendulum of instability will always swing back and forth. Certainly, as more and more organizations embrace hyper-connectivity supplier cyber risks will only intensify. For businesses to become resilient to volatility and disruptions, they must invest in a proactive process that identifies supplier risks throughout the entire lifecycle, from acquisition to termination. As John Locke once famously quipped: “The only defense against the world is a thorough knowledge of it.”
Steve Durbin is chief executive officer of the Information Security Forum.
Timely, incisive articles delivered directly to your inbox.