Cyber Supply Chain Risk Management – Why security throughout the supply chain is so important

Author
Reinhold Zurfluh
Published
12. July 2019

Industrial and service companies are networking with the upstream and downstream stages in the supply chain – this is probably a development that your company is also going through. It is necessary to have a well-structured and secure supplier management system and to develop a qualified, trustworthy supplier base. Throughout the supply chain, cyber risk is an omnipresent threat to any business. In this blog post, we will show you why cyber supply chain risk management (C-SCRM) is so important for your company and the challenges it faces.

Supplier management helps to minimize the risk of failures

In recent years, professional supply chain management has become more and more important especially when it comes to thinking about different aspects of information security. The larger the network of suppliers and partners, the greater the inherent cyber risks within the supply chain.

When a supplier management system is put in place, it is important initially to define the aims to be achieved. In practice, these often include systematically maintaining supplier relationships, objective comparability, developing suppliers and integrating suppliers into integrated processes and production sequences. However, the safeguarding of security requirements and the monitoring and minimization of cyber risks should also not be overlooked.

Supply chain risk management as a factor in supplier assessment

Our networked world has an impact on the supplier network. In order to operate as efficiently as possible, activities are increasingly being outsourced, and this means that companies are dependent on products and services from third parties. Depending on the industry, this can include suppliers of mechanical parts and raw materials, software and hardware suppliers, cloud providers, Internet access providers, etc. In many cases, the list is so long and the responsibilities so dispersed that there is no single person or central office in the business that will have a complete overview or can manage these relationships sustainably and based on risk.

There are many advantages to the strategy of integrating with external suppliers, but there are also risks. If there is a security incident, delay, or outage in the supply chain, the impact on your business processes or infrastructure can be severe (according to Symantec, supply chain attacks increased by 78 percent in 2018). This can lead to considerable financial losses, damage to company reputation or even legal consequences. Risk management as part of strategic supplier management is designed to identify hazards and risks at an early stage and to define reactions and measures to be taken in the event of an emergency.

The lack of supply chain management results not only in direct risk of default but also in potential challenges. Companies are increasingly called to account by regulators, investors and customers for their behaviour (or negligent inaction) towards technology providers in the digital supply chain. This is why Swiss companies are increasingly focusing on cyber supply chain risk management (C-SCRM). This is certainly a major challenge, but there are existing standards and best practices that can act as a guide for companies. For example, ISO/IEC 27036:2013, part of the ISO/IEC 27001 series, describes information security for supplier relationships. In addition, in its update of the NIST Cyber Security Framework last year (2018), NIST added the category "Supply Chain Risk Management" (ID.SC; p. 28), which underlines the importance of SCRM from the corporate security viewpoint.

Cyber SCRM as part of supply chain management

Cyber SCRM is part of supply chain management (also known as supplier lifecycle management, vendor risk management or third party risk management). It is a measure that addresses the risks that a company assumes when systems, processes, equipment and supplies of goods or services are outsourced to other companies. Typically, the following risk types are distinguished (not a conclusive or weighted list):

  • Contractual risks
  • Compliance & legal risks
  • Finance & credit risks
  • Business continuity & supply chain risks
  • IT- & cyber risks
  • Data protection risks
  • Operational risks

While companies should generally be aware of all these risks, our experience in recent years has shown that many data breaches can be attributed to third parties (experts estimate the proportion at up to 60 percent). This is why cyber security should be an important aspect of risk management in your supply chain.

Cyber SCRM is often neglected when choosing suppliers

There are numerous challenges in managing cyber security risks within the supply chain. In our experience, major difficulties result from this...

  • ...a large number of third parties involved;
  • ...the lack of resources and/or tools;
  • ...the challenges of systematically assessing and monitoring risks, mainly due to a lack of transparency and difficulties in identifying dependants, especially subcontractors;
  • ...organisational challenges in implementing cyber security requirements throughout the supply chain.

Unfortunately, these difficulties show that cyber risk management and cyber security are still secondary issues when selecting and managing a company's partners. Functional requirements, delivery terms and price are usually high on the list of the purchasing department's requirements. IT security requirements, so a thorough review process and supplier risk assessment are often neglected or not integrated at all. In short, most supply chain management practices today do not include cyber security aspects; instead, they focus heavily on traditional attributes.

Cyber risks within the supply chain are particularly fundamental for companies and must not be ignored. Here are just a few practical examples:

  • Unwanted functionalities within products and software
  • Insider threats from suppliers
  • Insufficient risk identification and assessment throughout the supply chain
  • Lack of internal controls and monitoring
  • Inadequate information security practices among suppliers (or their suppliers)
  • Unprotected physical access to information systems

Risk management within the supply chain is important! You can find out how to set up supply chain management with a cyber SCRM in the upcoming blog post. To make sure you don't miss out, please sign up for our blog update right now.

Blog subscription

Cyber supply chain risk management by InfoGuard

With our long-standing experience in the cyber security field, we have the expertise you need to help you define and build your cyber supply chain risk management. We will help you understand your current risk landscape and assess your risks, define your supply chain risk management strategy and implement the required measures. In addition, our SecurityScorecard solution can provide you with valuable information. With SecurityScorecard, you can identify, manage and transparently identify your supply chain risks. Of course, you can also use SecurityScorecard to assess the security of your company. You can find out more about this on our webpage:

SecurityScorecard

Share article