Regular media coverage of cyberattacks penetrating the biggest brands in business has increased awareness around the high level of risk that exists in supply chains. Malware that infiltrates a firm even low down in a supply chain can quickly rise to the top, as companies and governments across the world have discovered.
As the cloud continues to accelerate the ease of switching on a business service or adopting a new partner, the risk that sits in a supply chain is growing faster than ever. Cybersecurity is one of the most dynamic areas of risk to manage, but knowing the risk level within a vendor ecosystem on an ongoing basis has always been a challenge.
With the threat landscape and a company’s distributed relationships around the world constantly evolving, achieving that continuous understanding is crucial. Yet while assurance processes have existed in organisations for many years, they still tend to be done in isolation and treated like a compliance checkbox that needs to be ticked.
“In our experience it has never really been done in a dynamic way,” says Tom Turner, president and chief executive at BitSight, a security ratings firm that enables companies to analyse the cybersecurity performance of partners within their supply chain. “When businesses work together, for any decisions to happen there has to be dialogue between the company trying to understand its risk profile and the suppliers that are perhaps posing some uncomfortable level of risk.”
When a supply chain relationship does need to be re-evaluated, clear communication is paramount, firstly concerning perceived risks and then progressing into an open discussion around the actual risks. This discussion should cover whether each risk can be mitigated, transferred or, with greater understanding of what it means, accepted.
Often performance will play a major factor in reaching a resolution. If improved performance would indicate lesser risk in a certain timeframe, then the company may decide the relationship can continue uninterrupted. On other occasions, pricing alterations or more stringent protections, like the need for the supplier or third party to take out cyber-insurance, may be the answer.
“Continuous monitoring and ongoing discussions give companies the ability to re-evaluate suppliers and third parties based on particular metrics over a period of time to see whether performance improves,” says Mr Turner. “Or it may in fact transpire after a certain time period that it’s an acceptable risk for the two organisations to share.”
Big ransomware attacks in recent years, including WannaCry and NotPetya, have affected a broad range of supply chains and fourth-party outages when cloud service providers are down. These have all had wide-reaching implications. In March, Facebook suffered a 14-hour outage, its largest ever, from an interruption in a linked supply chain.
In this increasingly hazardous cyber-environment, organisations that want to know their risk position at any time require the ability to monitor and measure suppliers and third parties, but also need to understand context and performance.
BitSight’s security ratings platform monitors the security performance of more than 150,000 international organisations, but also encourages them to input context on why something happened, or why it may not be as risky as it seems. This enables users to make better-informed decisions.
“Companies are not alone in their desire to understand the strengths and weaknesses in their supply chain,” says Mr Turner. “They can make better risk decisions if they can see 100 other companies like them are also monitoring how a supplier is performing, and if they can track that performance over time and compare it to other suppliers.”
When vulnerabilities are disclosed, a rapid and proactive response is vital. Immediately, regulators demand to know whether their regulated companies, and the relevant consumers under their jurisdiction, are affected. At this stage, companies that have developed a continuous understanding of their supply chain are best placed.
“More likely than not, these companies will already have the information they need at their fingertips. They also don’t require lots of duplicated, manual and expensive efforts, as well as hectic running around,” says Mr Turner. “If you’re proactive, you can more rapidly get to a true understanding of what your risk is and in a much less disruptive fashion.”
For more information please visit BitSight.com