Cyber vulnerabilities: is supply chain your weakest link?

By Fred Kneip, CEO, CyberGRX
Growing digital transformation of industry has attracted an unwelcome rise in cybercrime, exposing damaging weaknesses along the supply chain...

The global economy is beginning its recovery from the COVID-19 pandemic, but many of the trends that were set in motion by the ‘great reset’ of 2020 will not be going away: the ‘new normal’ is here to stay. Remote working has become commonplace, many services that went online during the pandemic will remain there, and the digital transformation of companies and even entire industries will continue to accelerate.  

An unwelcome – though inevitable – consequence of these trends has been a corresponding rise in cybercrime. Some commentators have even talked about a ‘cyber pandemic’ fuelled by rises in ransomware, data breaches and cloud-based security issues as criminals take advantage of the fast-moving situation. 

According to a recent study commissioned by CyberGRX, not only is this digital transformation increasing cyber risk, but it is also increasing reliance on third parties in order to compete in the digital economy. This means relying on third-party cloud and IoT providers, plus sharing data with suppliers providing such things as point-of-sale systems, HR systems and payrolls. 

Taken together - the increased reliance on third parties, the increased sharing of data and network access, and new vulnerabilities created by remote working – has created a perfect ‘risk storm’ for opportunistic cyber criminals. 

And it means that even the most robust security programmes can be undermined by less secure third-party vendors and supply chain partners.

The recent hack at US software firm SolarWinds is an example of how damaging this risk exposure can be. One single piece of malware successfully planted inside SolarWinds's Orion network management software was able to infect as many as 18,000 organisations and government agencies. Reports suggest that about 30 per cent of the companies affected didn’t even have a direct relationship with SolarWinds – they were just connected to a company that was. 

The breach exploited a vulnerability that was leveraged to gather intelligence, mine data, and to sow animosity and resentment between organisations. The interconnectedness of the digital supply chains involved meant it became – according to Microsoft - "the largest and most sophisticated attack the world has ever seen."

"even the most robust security programmes can be undermined by less secure third-party vendors and supply chain partners"

undefined

Fred Kneip, CEO, CyberGRX

How big is the security threat from a supply chain vendor?

Our study found that more than half of all data breaches are linked to a third-party supplier further down the supply chain. 

Moreover, based on the data collected from the third parties our customers have loaded into the CyberGRX Exchange, 20 per cent of an enterprise’s third-party portfolio on average exhibits a high inherent risk profile. ‘Inherent risk’ is the risk that exists absent of any security controls – and determining it is critical to helping organisations understand where to focus their risk assessment efforts. 

Considering that the typical enterprise has an average of 5,800 third parties, that 20 per cent figure represents a huge amount of risk that requires – at a minimum – some level of due diligence. 

The first step therefore in developing an effective third-party risk management programme is to identify who the third parties are and understanding their inherent risk. Once it is understood who poses the most inherent risk, a company is able to move forward with due diligence and assessing to determine if the third-party has the proper security controls in place to mitigate that risk. 

Of course, in an ideal world, a company should understand that risk before onboarding a third-party. Better risk assessments will make it easier to write and mark up contracts with vendors and partners – and increase confidence in the supply chain.

However, the tools and processes that many organisations rely on to manage third-party cyber risk today is inefficient and error prone. The next 10 years will therefore bring about a sea change in how companies across the economy address this critical category of risk. New approaches like cyber risk exchanges and advanced analytics will allow organisations to closely monitor and manage the cyber risk of even thousands of individual providers.

And these new solutions are coming at an important time: as senior executives and boardmembers demand to be kept abreast of third-party cyber risk management efforts, the organisation’s risk posture and the impact of third-party cyber risk on strategic planning. 

Share

Featured Articles

Procurement & Supply Chain LIVE New York 2024: Day Two Recap

Day Two of Procurement & Supply Chain LIVE New York featured a number of engaging discussions relating to AI, risk management and supply chain innovation

Executives from Vodafone, Mastercard & SAP at P&SC London

Executives from Vodafone and SAP will join Procurement & Supply Chain LIVE London when it returns on 24 & 25 September at the BDC

Procurement & Supply Chain LIVE New York: Day 2

Join us for day two of Procurement & Supply Chain LIVE New York, the premier virtual event for leaders in North America and Canada

Procurement & Supply Chain LIVE New York: Day 1

Sustainability

Four New Sponsors Join P&SC LIVE London 2024

Operations

Four New Sponsors Announced for P&SC LIVE London

Digital Supply Chain