Supply chain cybersecurity: better protection and policy alignment

According to a recent study conducted by the World Economic Forum, 39% of surveyed organizations in 2022 had been affected by a third-party cyber incident. In other words, they were “collateral damage” of a cyberattack on companies via their supply chain. Increasingly, threat actors are targeting small and medium-sized suppliers that may use less robust cybersecurity practices, with the aim of then surreptitiously accessing the systems of an intended target among their clientele. By breaking into the provider’s system, an attacker could potentially compromise any organizations which use the product or service – including larger companies, government agencies, and even critical infrastructure or essential services.

These incidents show the interdependence of companies, and the increasing need to address the security of the ICT supply chain as a whole by identifying and strengthening the weakest links. There is also a growing regulatory concern about supply chain security that is being translated into proposals ranging from reporting, or vulnerability disclosure, to restrictions or obligations on providers under various regulatory standards and frameworks.

How can companies better protect their supply chain to reduce risk and enable a more agile response?

Traditional approaches to supply chain risk management can present limitations, as they don’t increase cyber protection, are not generalized in their approach to diversifying and securing the supply chain, waste time and money, and lack cyber risk context. Importantly, small and medium-sized enterprises in the supply chains may struggle with responsible cybersecurity practices, including complying with recognized standards. Below is a selection of best practices on supply chain, some of which have been extracted from the RSAC ESAF Report “How Top CISOs are Transforming Third-Party Risk Management” based on Chief Information Security Officers (CISOs) interviews, and Telefónica’s own experience.

It is also necessary to standardise the approach to risk management, in a joint procurement and security strategy based on a principle of co-responsibility of employees and suppliers in meeting pre-established cybersecurity requirements, including on diversification. Management indicators to be periodically checked (including with audits) are needed to monitor and identify improvement points for action throughout all the supplier lifecycle, even at the termination. Key elements of such a strategy include the following:

Focus on a set of priority security requirements based on an assessment of risk, a short list instead of overloading the supplier, and ensure monitoring, oversight, and compliance.
Reduce the impact of third-party incidents via discrete actions like diversifying the supply chain, applying zero trust policies, developing incident response plans, conducting tests, and demanding early reporting of incidents by suppliers.
Actively partner with suppliers to help them improve their security programs, offering service mechanisms and trainings to protect against or respond to incidents as they occur. Third-party incidents will happen, so preparing to manage the impact on the enterprise must be a core priority.
Consider leveraging emerging technologies such as blockchain for information sharing and asset management to minimize the consequences of third-party cyber-incidents, as well as artificial intelligence and advanced analytics to scale incident detection and response capabilities.
Add incentives and enforcements to contracts, setting requirements for suppliers based on international standards (e.g. ISO 27001 Information Security, ISO 27701 Privacy, ISO 22301 Security and resilience).
Establish processes to increase business leaders’ involvement in managing third-party cyber-risks. Doing so needs to be a priority at the most senior levels.

Subscribe to us for new updates and leave your comments below.