The marketplace is becoming increasingly complex. Digitalisation, internationalisation and competitive pressure mean that companies are more and more dependent on third parties. In many ways, cooperation makes sense, but this can be at the expense of cyber security – the keyword here is supply chain risks (or third-party risks). In this blog article, we explain you what these risks are and what effective supply chain risk management is all about.
Your cyber and IT security can be as good as you like, but if your suppliers, distributors and service providers are inadequately protected, this will also pose a risk to your company. Increased networking that includes the sharing of sensitive data is one of the main problems. However, common IT interfaces and phishing e-mails sent by the supposedly reliable third parties are also part of the supply chain risks. It can be even more sophisticated, with the cyberattack not even targeting the third party at all, but with the third party merely serving as a «middleman» for an attack on your company.
Third-party cyber risks are more multifaceted than most people think. First, as explained earlier, hackers may see third parties as just a means to an end to get into your systems. In the worst case, the hackers will paralyse them, which can lead to business disruption or a complete shutdown. Secondly, data, which are your crown jewels, can also be stolen, for example when customers put them at risk as well. Thirdly, there may be consequences for you because your third parties fail to comply and collaborate. And fourthly, in the event of a successful attack, there are, of course, significant risks to your reputation. As a result, customers and other third parties will think twice before they (continue to) work with you.
The General Data Protection Regulation (GDPR) 2019 put data protection at the top of the agenda for many companies, which is definitely a step in the right direction. Even people who do not fall under these provisions will have to act this year, because the revised Swiss Data Protection Act (DPA) is on its way. That said, it should not be assumed that the risks will disappear as a result. On the one hand, companies still have a great deal of autonomy, including with respect to control; on the other, hackers are always one step ahead, so they usually find a loophole for an attack. Finally, the GDPR and the DPA are not perfect and there is a long road to revision and implementation – too long to be able to keep up with the attackers.
For many companies, the problem is a lack of transparency, visibility and control. For one thing, companies often cannot see how third parties themselves are handling sensitive data and their systems. Also, you rarely know what cyber security measures they are taking, so don't just take their word for it. Your third parties are also dealing with other outside parties, and this complicates matters. Even seemingly innocuous things can be problematic and lead to a loss of control, for example, if a partner has access to your network via a partner portal or another interface. This makes supply chain risk management indispensable.
As you can see, there are cyber risks lurking everywhere, even if they are often not apparent. You should never leave supply chain risk management to chance. Our experts can help you, either in the area of risk management and compliance or in active protection, as well as detecting and rapidly responding to cyber risks.
Want to learn more about supply chain risk management? Below we have linked various previous blog posts on this topic. Or even better: Subscribe to our weekly blog updates right now so you don't miss another blog post!