Tag Archives: Security

Supply chain cybersecurity: better protection and policy alignment

Posted on by
Supply chain cybersecurity: better protection and policy alignment

Supply chain cybersecurity: better protection and policy alignment

According to a recent study conducted by the World Economic Forum, 39% of surveyed organizations in 2022 had been affected by a third-party cyber incident. In other words, they were “collateral damage” of a cyberattack on companies via their supply chain. Increasingly, threat actors are targeting small and medium-sized suppliers that may use less robust cybersecurity practices, with the aim of then surreptitiously accessing the systems of an intended target among their clientele. By breaking into the provider’s system, an attacker could potentially compromise any organizations which use the product or service – including larger companies, government agencies, and even critical infrastructure or essential services.

These incidents show the interdependence of companies, and the increasing need to address the security of the ICT supply chain as a whole by identifying and strengthening the weakest links. There is also a growing regulatory concern about supply chain security that is being translated into proposals ranging from reporting, or vulnerability disclosure, to restrictions or obligations on providers under various regulatory standards and frameworks.

How can companies better protect their supply chain to reduce risk and enable a more agile response?

Traditional approaches to supply chain risk management can present limitations, as they don’t increase cyber protection, are not generalized in their approach to diversifying and securing the supply chain, waste time and money, and lack cyber risk context. Importantly, small and medium-sized enterprises in the supply chains may struggle with responsible cybersecurity practices, including complying with recognized standards. Below is a selection of best practices on supply chain, some of which have been extracted from the RSAC ESAF Report “How Top CISOs are Transforming Third-Party Risk Management” based on Chief Information Security Officers (CISOs) interviews, and Telefónica’s own experience.

It is also necessary to standardise the approach to risk management, in a joint procurement and security strategy based on a principle of co-responsibility of employees and suppliers in meeting pre-established cybersecurity requirements, including on diversification. Management indicators to be periodically checked (including with audits) are needed to monitor and identify improvement points for action throughout all the supplier lifecycle, even at the termination. Key elements of such a strategy include the following:

  1. Focus on a set of priority security requirements based on an assessment of risk, a short list instead of overloading the supplier, and ensure monitoring, oversight, and compliance.
  2. Reduce the impact of third-party incidents via discrete actions like diversifying the supply chain, applying zero trust policies, developing incident response plans, conducting tests, and demanding early reporting of incidents by suppliers.
  3. Actively partner with suppliers to help them improve their security programs, offering service mechanisms and trainings to protect against or respond to incidents as they occur. Third-party incidents will happen, so preparing to manage the impact on the enterprise must be a core priority.
  4. Consider leveraging emerging technologies such as blockchain for information sharing and asset management to minimize the consequences of third-party cyber-incidents, as well as artificial intelligence and advanced analytics to scale incident detection and response capabilities.
  5. Add incentives and enforcements to contracts, setting requirements for suppliers based on international standards (e.g. ISO 27001 Information Security, ISO 27701 Privacy, ISO 22301 Security and resilience).
  6. Establish processes to increase business leaders’ involvement in managing third-party cyber-risks. Doing so needs to be a priority at the most senior levels.

Read more at Supply chain cybersecurity: better protection and policy alignment

Subscribe to us for new updates and leave your comments below.

A Case Study on Leveraging Supply Chain Risk Management Solutions to Drive Revenue for a Leading Consumer Packaged Goods Firm

Posted on by

SpendEdge, a global procurement intelligence advisory firm, has announced the release of their new ‘supply chain risk management study on the consumer packaged goods industry’. A well-known consumer packaged goods company with a considerable number of manufacturing units spread across economies was facing difficulties in identifying the potential opportunities in the market. The CPG sector client wanted to leverage the use of supply chain risk management solutions to achieve a more robust supply chain network. The consumer packaged goods client was also looking at devising an effective risk treatment plan including measures to protect the supply chain.

According to the procurement analysts at SpendEdge, “The CPG industry acts as a foundation for the modern consumer economy as it drives not only huge amounts of money into other businesses like retail and advertising but also generates a massive portion of the gross domestic profits (GDP) for countries across the globe.”

In the consumer packaged goods industry, leading firms are looking at leveraging the use of supply chain risk management solutions, as it helps them integrate several previous or ongoing initiatives, including those for business continuity and supply-chain security. Our supply chain risk management solutions assist clients in the consumer packaged goods market space to align their risk management strategies with supply chain risk exposure.

The supply chain risk management solutions offered by the experts at SpendEdge helped the consumer packaged goods client to monitor the complete process, starting from risk analysis and risk evaluation through risk management and right up to residual risk control. This helped the CPG sector client to achieve productivity and avoid sales losses.

Read more at A Case Study on Leveraging Supply Chain Risk Management Solutions to Drive Revenue for a Leading Consumer Packaged Goods Firm

Share your opinions with us in the comment box and subscribe to get updates.

Related articles

3 ways to strengthen security with software supply-chain automation

Posted on by

Federal agencies are striving to become more innovative and iterative, leading to growing adoption of open source within the government. The issuance earlier this year of the Federal Source Code Policy illustrates how this technology, once anathema to government agencies, has become the de facto standard for the creation and deployment of many applications.

With the explosive adoption of open-source components being used to assemble applications, agency personnel are now tasked with ensuring the quality of the components that are being used. Developers must have confidence in components’ security, licensing and quality attributes and know for certain that they are using the latest versions.

Unfortunately, many agencies that are adopting the RMF are also relying on outdated and inefficient practices and tools that are not designed for today’s open and agile world. In addition to relying on potentially vulnerable components to build applications, some agencies have continued to depend too heavily on common application security tools, such as static application security testing and dynamic application security testing.

Continue reading

How to recover from supply chain disruptions

Posted on by

Risk mitigation is a crucial component of supply chain management. Preparing for potential disruptions is one of the most important yet challenging tasks faced by company managers, especially since there is an abundance of possible situations threatening operations at all times.

Unfortunately, damage control planning is something many companies tend to neglect. Last year, a study conducted by the supply chain management team at the University of Tennessee found that only about 50 percent of businesses have a recovery process in place to reference in the event a facility’s operations are interrupted.

Importance of response planning
Companies of all sizes are susceptible to dangerous disruptions, with global supply chains being the most vulnerable. Which is why it is surprising that the report also discovered nearly all, or 90 percent, of surveyed organizations do not take potential risks into consideration when outsourcing.

It’s understandable that managers are generally more focused on improving day-to-day operations, such as customer service, identifying cost-savings opportunities and driving revenue. However, disruptions along the supply chain have the power to severely impact financial growth and overall performance.

Between natural disasters, security breaches, safety and regulatory compliance and system failures, it is virtually impossible to anticipate what will be affected and when attacks may occur. But the best approach for supply chain teams to take is implementing strategic risk management practices that will help minimize monetary losses associated with disasters.

Read more at How to recover from supply chain disruptions

Subscribe us to get updates in your inbox, or send us an email for discussion.

Related articles

Could Your Supply Chain Be The Weakest Link In Risk Management?

Posted on by

Supply chains are a vital component of every organization’s global business operations and the backbone of today’s global economy. However, security chiefs everywhere are concerned about how open they are to an abundance of risk factors. A range of valuable and sensitive information is often shared with suppliers and, when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised.

Data Protection

Security is only as strong as its weakest link. Despite organizations’ best efforts to secure intellectual property and other sensitive information, limited progress has been made in effectively managing information risk in the supply chain. Too often data breaches trace back to compromised vendor credentials to access the retailer’s internal networks and supply chain. Mapping the flow of information and keeping an eye on key access points will unquestionably remain crucial to building a more resilient information.

Take a moment and think about this: Do you know if your suppliers are protecting your company’s sensitive data as diligently as you would protect it yourself? This is one obligation you can’t outsource because, in the end, it’s your liability. By looking at the structure of your supply chains, determining what information is shared and accessing the probability and impact of potential breaches, you can balance information risk management efforts across your enterprise.

Organizations need to think about the consequences of a supplier providing accidental, but harmful, access to their corporate data. Information shared in the supply chain can include intellectual property, customer-to-employee data, commercial plans or negotiations and logistics. Caution should not be confined to manufacturing or distribution partners. It should also embrace professional services suppliers, all of whom share access, often to your most valuable assets.

Read more at Could Your Supply Chain Be The Weakest Link In Risk Management?

Do you have any opinions about this article? Please share it with us in the comment box. Thank you for reading.

Related articles

Risk Management: A Look Back at 2013 and Ahead to 2014

Posted on by

Risk Management: A Look Back at 2013 and Ahead to 2014

According to Yo Delmar, vice president of MetricStream, 2013 has been witness to extraordinary change. We are living and doing business in an increasingly global, mobile, social and Big Data world, fraught with new risks and complex regulations. As such, individuals and organizations are struggling to keep pace.

In response to greater uncertainty, complexity and volatility throughout 2013, we’ve seen increased convergence and alignment amongst internal teams, including IT, security and the business. As a result, organizations are better poised to provide the context for communicating risks. We’ve also seen the business ecosystem evolve to include geographically diverse vendors and third parties, and as a result, organizations must continue to view these entities as part of the organization itself, and manage them in a more tightly and integrated way.

Growing convergence among IT, security and the business: The landscape of risk and compliance continues to evolve, as organizations are asked to manage their IT risk and compliance activities far beyond that of basic audit and compliance requirements of the past. As new technologies bring their own set of unique risks, there is a growing disconnect among internal audit, security, compliance and the business on what it means to build, manage and lead a truly safe, secure and successful business.

As a result, we are seeing more focused efforts when it comes to getting these groups on the same page by building a common risk language, as well as a discussion framework to enable cross-functional collaboration. Doing so can set the context for communicating risks in a way that drives more effective governance and decision-making across the board of directors, executive management team and each respective business function.

What is your 2014 resolutions? Leave us a comment or send us a message.

Related articles