Protecting Your Supply Chain: Key Actions for Mitigating Security Threats
Doug Bower & Jamey Cummings | September 14, 2022
The movement of raw materials and physical goods from Point A to Point B still faces regular disruption, even two-plus-years removed from the start of COVID. S&P Global suggests the slow recovery is a product of uncorrected shocks to crucial economic systems, as well as geopolitical conflicts and growing pangs in the transition to renewable energy. In time, these sore spots can heal, but there is a deep-rooted threat to supply chain stability that is not going away: cybersecurity threats.
Nowadays, executives must be laser-focused on the disproportionate possibility of damage from vulnerable code, software, and systems – whether it’s their own or those of third-party vendors. As many recall, the devastating SolarWinds breach made headlines and had the misfortune of becoming the poster child for what a potential cybersecurity catastrophe could look like. Hackers successfully inserted their own lines of code into the company’s popular network management system, which was a third-party software program, just before a routine software update was scheduled. This unprecedented tactic allowed hackers to then use it as a vehicle for a massive cyberattack against America, compromising as many as 18,000 organizations, all without any fault of the companies themselves.
In an era of rebounding logistics or even just-in-time manufacturing, this is a massive concern and one that plays out over and over again. A Blue Voyant survey found as many as 97% of companies have been impacted by a cybersecurity incident that started within their supply chain. Fortunately, the C-Suite and Board of Directors can lower organizational risk by readjusting their mindset and big-picture strategy with a few critical actions.
Never Assume Vendors Are Secure
The cybersecurity practices of your supply chain partners should never be left to faith. Even if your organization has a robust cyber security governance framework, you inherit the vulnerabilities and weaknesses of your vendors. Even companies that act as smaller links in the supply chain are major targets; they may not be enticing on their own, but they offer a means to an end, opening a door to compromise enterprises with greater financial weight or brand recognition.
The highly publicized Target point-of-sale (POS) terminal breach is an example of how poor security hygiene and controls can escalate. Credentials stolen from one of Target’s HVAC service providers allowed hackers to leapfrog from the system controlling energy consumption and refrigerator monitoring into one that housed their POS systems. A perfect storm of cybersecurity blind spots and lax vendor controls resulted in a public fiasco with an $18.5 million multistate settlement and an erosion of trust in the retail giant.
The lesson for any executive—whether you are in manufacturing, CPG, or anything in between—is to agree upon governance standards, as well as the system of exchanging tangible and actionable security information with suppliers. Though this strategy might feel self-evident, PwC finds over 21% of organizations are without due diligence or monitoring programs for their suppliers and only 54% are confident in the effectiveness of their vendor monitoring programs.
Once CISOs gain transparency into suppliers’ cybersecurity processes, updates, and response strategies, they should be included within the annual and periodic reviews to the rest of the C-Suite and Board of Directors. Clarity about cyber threats and practices is the first step to avoiding massive slowdowns.
Hold Firm with Your Audits
Auditing vendors’ security is another crucial step, though it’s often treated as the apex of the action. If you audit without action, you’re only creating a false sense of security across your enterprise, little more than “security theater.” Reviewing the software bill of materials (SBOM) is great, but only if you respond to any deficiencies or shortcomings.
In several high-profile vendor-based breaches, there have been warning signals that suppliers may fall prey to hackers, as they failed Service Organization Control 2 (SOC 2) or other third-party security assessments. Yet, when the vulnerabilities were revealed, these companies declined to terminate the contract and suffered the consequences.
What’s the reasoning behind this? Often, enterprises feel safeguarded by protection language within their contracts and take solace in the idea that they’ll receive fair compensation in the wake of a breach. However, when the worst happens, they are one of many seeking financial recompence from their vendors and might receive a miniscule amount of money at best. Damage to your company’s brand and reputation can be far more damaging and irreversible.
In fact, reputational damage is one of the biggest yet hardest concerns to track. A Kaspersky report suggests 40% of all financial losses in the wake of a cyber security incident stem from a blow to their reputation, ranging form decreased credit ratings and increased insurance premiums to heightened PR costs and lost business. A holistic understanding of the price of cyber negligence can save enterprises in the long run.
Both the CISO and the rest of the executive team need to have a consensus about next steps when suppliers are unconcerned or unprepared to tackle the risk landscape. Even if third-party vendors operate an otherwise tight ship, it’s important for leadership to recognize that a failure in cybersecurity is a failure in logistics in the long term.
Pool Resources and Insights with Your Supply Chain
Often, manufacturers and logistics companies think of their practices as trade secrets, which is a healthy attitude for everything except their cybersecurity tactics. Rather than keeping protocols and controls to themselves, companies have an opportunity to share knowledge and tactics in a way that raises the level of protection industry wide.
Any tactic you can share with your partners in the industry will reduce the ability of hackers to start a domino effect of breaches that can eventually reach your organization. Suppliers might very well lack funding or resources to verify on their own. So, making an investment in shaping your suppliers’ privacy and security control is an investment in your organization.
Before you reach out to suppliers, verify data and information sharing protocols with the rest of the C-Suite. The CISO usually sets the tone for these types of conversations, but other executives or even members of the Board might be reluctant to give up information that feels proprietary. The sooner you can break down those barriers, the faster you expand the efficacy of your combined cybersecurity efforts with third-party vendors.
Additionally, there’s an opportunity for other connected members of your executive team to start conversations with their counterparts across peer organizations and suppliers about establishing standardized certifications that can make it easier to gauge security posture and collaborate to elevate the shared response.
Mitigating Cyber Threats to Your Supply Chain
Cybersecurity strength across your vendors needs to be a top priority. One weak point in the chain can result in a rippling effect of problems. PwC research finds that enterprises “underestimate the number [of third-party suppliers] they interact with by a factor of three to five.” That means the C-Suite needs to take an active interest in maneuvering the third-party risk landscape. When they do, they’ll be better equipped to bounce back from the pandemic—and stronger than before.
To stay up-to-date on trends shaping the executive talent landscape, subscribe to our blog for additional insights.