When confronted with a cyberattack, suppliers can quickly turn from friend to foe. As many as half of all supply chain disruptions are caused by cybersecurity incidents among suppliers or a supplier’s suppliers, and come with high price tags that impact a company’s reputation, operations and bottom line.

There’s no way to fully prevent cyberattacks, but the risks can be mitigated to a large degree. Business leaders must take proactive steps to secure one of the more vulnerable arms of their operations: the supply chain.

Many companies don’t believe they share enough data with their suppliers to truly be at risk should one of them fall victim to a cyberattack. According to a 2022 IBM study with the Ponemon Institute, data breaches originating in supply chain attacks take 235 days to identify and another 68 to contain, costing businesses on average $4.46 million. Not being proactive can be costly and impact more than a company’s net income. Reputation among customers is also at stake.

Challenges such as lack of experience, time constraints, difficulties engaging suppliers and perceived costs have deterred businesses from initiating effective cyber risk management strategies. Overcoming these obstacles is crucial for safeguarding the company’s overall well-being, its reputation and customer trust. 

The Anatomy of Attacks

In a supply chain attack, threat actors look to exploit vulnerabilities in the network, usually targeting a specific company by compromising a trusted supplier or service provider. These attacks manifest in different ways, including exploiting software or hardware vulnerabilities, injecting malware into legitimate files, and employing phishing or social engineering attacks. Cyberattacks rarely come with a warning, and by the time IT departments find anything amiss, it may be too late. Experienced cyber criminals are not looking to be flashy, most often taking the path of least resistance.

The aftermath of these attacks can be devastating, with sensitive information compromised, operations disrupted and malicious software injected. MOVEit, a secure file transfer tool used by government agencies and some of the world’s large enterprises alike, discovered a zero-day critical vulnerability in June, 2023 that was subsequently mass exploited by a ransomware group. So far, over 2,500 organizations have been impacted, and that number continues to climb. In February, 2023, major semiconductor firm Applied Materials lost $250 million due to a business partner being hit by a ransomware attack.

There’s also a larger societal risk involved in a supply chain attack. For example, money from ransomware payments is often used to fund criminal activity, including drug and  human trafficking.

A Playbook for Risk Management

Building an effective supplier risk management framework is crucial in fortifying businesses against the growing threat of cyberattacks. The three S’s — speed, scope, and scale — serve as guiding principles for establishing a strong foundation. Speed involves the efficient measurement, management and monitoring of risk levels without overburdening internal teams. Achieving scale is crucial to ensuring maximum visibility for all suppliers in the monitoring process, regardless of their significance. Scope identifies cybersecurity risk levels from the outset, and maintains vigilance throughout the relationship with ongoing monitoring for potential data breaches and related incidents.

A comprehensive supplier risk management framework involves a structured approach encapsulated in five key steps: risk identification, risk analysis, risk mitigation, continuous monitoring and continuous improvement. Risk identification and continuous monitoring are critical to mitigating potentially disastrous supply chain attacks. The vetting process should be ruthless, evaluating a supplier’s security policies, procedures, past incidents and potential vulnerabilities. All risks identified should then be categorized and prioritized, with contingency plans being made for high-priority risks. 

But the fight doesn't end there. Businesses must implement real-time surveillance, keeping a vigilant eye on their supplier landscape through cutting-edge monitoring systems and collaborative incident response plans. Providing suppliers with the knowledge they need through engaging cybersecurity education programs can make it clear that compliance is a shared responsibility. By fostering a communication network that rivals a strategic command center, businesses can share threat intelligence and best practices seamlessly.

Businesses must diversify their supply chains to ensure resilience, develop contingency plans that can weather any storm, and subject their suppliers to regular audits. This isn't just risk management; it's a strategic defense plan, ensuring that businesses stand strong against ever-evolving threats in the cyber risk landscape.

The rising tide of supply chain disruptions caused by cybersecurity incidents demands a proactive response from businesses. Ignoring supplier risk management exposes companies to significant financial losses and reputational damage, and can result in extreme harm to society. While cyber threats are inevitable, businesses can minimize their impact by implementing a strong supplier risk management framework.

Akhilesh Agarwal is chief operating officer of apexanalytix.