When companies think about security, it is usually about securing their networks, software and digital assets against cyber-attacks and/or data breaches. But, in supply chain – whether it is a vendor used for facilities management or for cloud hosting – almost every organisation depends on a growing supply chain of services, creating an eco-system of dependency. As this eco-system grows to include fourth- and fifth-parties, it becomes more vulnerable to security risks. Recent major cyber-attacks were as a result of third-parties being compromised.
In this month’s SmartProcurement, Venisha Nayagar, Director at Crypt IT Information Risk Management, takes a look at supply chain data risks.
Practically every company has a place in the supply chain, and supply chains are evolving to be as much about the flow of information as they are about the flow of goods and services. It thus comes as no surprise that supply chain security is a complex, evolving function, one that business executives are giving more attention to. The risks surrounding information throughout a supply chain are becoming increasingly obvious and the risk profile of any organisation expands with a growing number of suppliers.
Key supply chain cyber risks
Some of the concerns include risks from:
• Third-party service providers/vendors: from facilities services to software engineering, with physical or virtual access to information systems, software code or intellectual property (IP).
• Software security vulnerabilities in supply chain management/supplier systems.
• Counterfeit hardware or hardware embedded with malware.
• Poor information security practices by lower-tier suppliers.
• Compromised software or hardware purchased from suppliers.
• Third-party data storage or data aggregators.
There are some steps that companies can take to secure their supply chains against cyber-attacks and third-party risk:
• Define a reasonable level of security and associated controls, and require sub-contractors, vendors and critical supply chain partners to meet or exceed those controls. This must be stipulated as terms and conditions in established business agreements.
• Enhance third-party risk management to include information security considerations.
• Classify suppliers according to risk profiles and exposure probability so that adequate controls can be applied and measured, including recording residual and emerging supply chain risks.
• Define regulatory compliance requirements. Are there regulatory requirements that need to be met and maintained by both parties? Companies should ensure that regulatory compliance requirements are met by suppliers and understand the risks introduced if there are exposures.
• Conduct vendor risk assessments. To mitigate a company’s vendor-related risks, organisations should conduct a thorough, annual vendor risk assessment and perform the necessary due diligence on third-party relationships from the onset of onboarding. Due diligence can identify what a vendor might require in terms of controls and monitoring, and provides a view of acceptable risk appetite.
• Define data ownership/stewardship requirements. Who maintains ownership of data being shared and what is deemed acceptable use of that data?
• If there is a large dependency between outsourced vendors, it is critical to maintain incident response plans. Both parties need to have a plan to notify the other as soon as possible if their network, systems or data have been compromised or a compromise is suspected.
• Enhance contracts to have the client ‘right to audit’ and continued assurance. Requiring SSAE 16 SOC reports, ISO 27001 certifications, or any other form of security assurance, should be provided on a regular basis.
• Monitor vendor access to networks and data. Add clauses to that effect to policies and contracts.
• Monitor and log vendor access, and review these logs on a regular basis.
• Train employees on the cyber risks specific to your supply chain environment. Request third-parties to provide employee information-security training-assurance to clients.
Supply chain security is every company’s responsibility. The supply chain as a whole is only truly secure when all entities throughout the supply chain perform effective, co-ordinated security measures to ensure the integrity of supply chain data, the safety of goods and the security of the global economy.
You can email Venisha Nayagar at venisha@cryptit.co.za.
