Supply chain cybersecurity: better protection and policy alignment

Supply chain cybersecurity: better protection and policy alignment

Supply chain cybersecurity: better protection and policy alignment

According to a recent study conducted by the World Economic Forum, 39% of surveyed organizations in 2022 had been affected by a third-party cyber incident. In other words, they were “collateral damage” of a cyberattack on companies via their supply chain. Increasingly, threat actors are targeting small and medium-sized suppliers that may use less robust cybersecurity practices, with the aim of then surreptitiously accessing the systems of an intended target among their clientele. By breaking into the provider’s system, an attacker could potentially compromise any organizations which use the product or service – including larger companies, government agencies, and even critical infrastructure or essential services.

These incidents show the interdependence of companies, and the increasing need to address the security of the ICT supply chain as a whole by identifying and strengthening the weakest links. There is also a growing regulatory concern about supply chain security that is being translated into proposals ranging from reporting, or vulnerability disclosure, to restrictions or obligations on providers under various regulatory standards and frameworks.

How can companies better protect their supply chain to reduce risk and enable a more agile response?

Traditional approaches to supply chain risk management can present limitations, as they don’t increase cyber protection, are not generalized in their approach to diversifying and securing the supply chain, waste time and money, and lack cyber risk context. Importantly, small and medium-sized enterprises in the supply chains may struggle with responsible cybersecurity practices, including complying with recognized standards. Below is a selection of best practices on supply chain, some of which have been extracted from the RSAC ESAF Report “How Top CISOs are Transforming Third-Party Risk Management” based on Chief Information Security Officers (CISOs) interviews, and Telefónica’s own experience.

It is also necessary to standardise the approach to risk management, in a joint procurement and security strategy based on a principle of co-responsibility of employees and suppliers in meeting pre-established cybersecurity requirements, including on diversification. Management indicators to be periodically checked (including with audits) are needed to monitor and identify improvement points for action throughout all the supplier lifecycle, even at the termination. Key elements of such a strategy include the following:

  1. Focus on a set of priority security requirements based on an assessment of risk, a short list instead of overloading the supplier, and ensure monitoring, oversight, and compliance.
  2. Reduce the impact of third-party incidents via discrete actions like diversifying the supply chain, applying zero trust policies, developing incident response plans, conducting tests, and demanding early reporting of incidents by suppliers.
  3. Actively partner with suppliers to help them improve their security programs, offering service mechanisms and trainings to protect against or respond to incidents as they occur. Third-party incidents will happen, so preparing to manage the impact on the enterprise must be a core priority.
  4. Consider leveraging emerging technologies such as blockchain for information sharing and asset management to minimize the consequences of third-party cyber-incidents, as well as artificial intelligence and advanced analytics to scale incident detection and response capabilities.
  5. Add incentives and enforcements to contracts, setting requirements for suppliers based on international standards (e.g. ISO 27001 Information Security, ISO 27701 Privacy, ISO 22301 Security and resilience).
  6. Establish processes to increase business leaders’ involvement in managing third-party cyber-risks. Doing so needs to be a priority at the most senior levels.

Read more at Supply chain cybersecurity: better protection and policy alignment

Subscribe to us for new updates and leave your comments below.

Great Suppliers Make Great Supply Chains

As an analyst who covers supply chain management (SCM) and procurement practice across industry, I tend to keep my keyboard focused on the disruptive themes that continue to re-define it. That said, if you’re expecting me go on about the unprecedented growth of the SCM solution markets, the accelerated pace of innovation, tech adoption, social change, etc., don’t hold your breath. I can’t, as the data argue otherwise. Too many of us conflate diversification with acceleration –and there’s a difference.

The most notable, defining advances of the last decade (Amazon, Twitter, Google, etc.) share something in common: they do not require consumer investment. If you take those monsters out of the equation and focus on corporate solution environments, the progress, while steady, has not been remarkable. Let’s just say there remains plenty of room for improvement, especially in supply chain and procurement practice areas.

I fell onto this tangent unexpectedly. It happened while interviewing Mr. Dan Georgescu, Ford Motor Company, adjunct Professor of Operations and Supply Chain Management, a highly regarded expert in the field of automotive industry supplier development. “For supply chains to be successful, performance measurement must become a continuous improvement process integrated throughout,” he said. “For a number of reasons, including the fact that our industry is increasingly less vertically integrated, supplier development is absolutely core to OEM performance.”

Read more at Great Suppliers Make Great Supply Chains

If you have any comments about this topic, share it with us below. Subscribe to get updates in your inbox.